Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Cisco ASA - VPN Question

Cisco ASA - VPN Question

Cisco ASA - VPN Question

I have a group (Active Dir) that people need to be a part of in order to be able to allow VPN access. I do not see any mention of this group in the config. Can someone tell me what I need to look at to find out how this Active Dir group is associated with VPN? I see the group policy and looking through it in the ADSM I still don't see it.

RE: Cisco ASA - VPN Question

It depends. What external authentication server is the ASA using? Is it MS NPS (Radius) or Cisco ACS, Cisco ISE or something else?
Typically the Radius server will check for conditions such as AD group membership as part of the Radius policy so there might be nothing you can see on the ASA. For example on my NPS server I have a policy that checks for the condiditons:
Authentication Type=MS-CHAP v2
NAS Port Type=Virtual (VPN)
Windows Groups = DOMAIN\VPN Users

It could also be done with LDAP using LDAP Attribute Maps.


RE: Cisco ASA - VPN Question

I believe it is LDAP so shouldn't I see that group somewhere in the config

RE: Cisco ASA - VPN Question

If its using LDAP then its probably LDAP Attribute Mappings that you need to look at. In the ASDM GUI go to AAA and look at 'LDAP Attribute Map'. There should be a Map created that maps a LDAP Attribute to a Cisco Attribute.
I have CN's mapped to Group Policies using the 'memberOf' LDAP attribute.

RE: Cisco ASA - VPN Question

Thanks... Looked there and nothing so not sure how its working

RE: Cisco ASA - VPN Question

Probably not LDAP then... Check Radius

RE: Cisco ASA - VPN Question

I am pretty sure there are no radius servers but I will double check.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close