Wednesday, November 23, 2011

Cisco ASA 5500 Active Directory Integration

Today I needed to enable an extra layer of security for a Cisco ASA VPN (ASA 5500 series appliance - should work on 5505, 5510, 5520, 5540, 5550, etc...).  I needed to require the user to enter their Active Directory domain credentials to connect to a Cisco IPsec VPN, for better security.

I worked this out from inside the ASA's ASDM software.


  1. Add an AAA server group for Active Directory authentication (under Configuration --> Remote Access VPN --> AAA/Local Users --> AAA Server Groups).
  2. Choose a name, and pick protocol: LDAP. Everything else here is fine.
  3. Now that you have your server group, highlight it in ASDM, and in the bottom half of the screen, add a server to the group.  This is where things get tricky!
    • Choose what interface the server is off of, put in the server's IP, and fill out the rest of the details as shown below.  This server must be a domain controller!
    • For Base DN, you should enter your AD domain name, in the format DC=DOMAIN,DC=COM (or local, or whatever)
    • Scope should be set to All levels beneath the Base DN, if you want it to be able to find all of your user accounts.
    • Naming attribute should be sAMAccountName
    • For Login DN, enter the path to an account with the correct privliges to read the required information.  I don't have specific details on this - I just used a domain admin account (I know, I know).  The format should be CN=UserAccount,CN=ThisUsersOU,DC=YourDomain,DC=COM (if the user account is several OUs deep, you'll need to add a CN= entry for each OU, in the correct order - starting with the one that the user is in).
    • Test the server using the Test button, after you click OK!
  4. Now that the group is set up, we need to configure some profiles to use this group!  Inside ASDM, navigate to Configuration --> Remote Access VPN --> Network (Client) Access --> IPsec Connection Profiles.
  5. Edit the profile you want to change to require AD authentication.
    • On the first page (Basic), change the Server Group (under the User Authentication section on the right side) to the group you just created.
    • On the Advanced --> General page, Make sure nothing is checked here - everything should be unchecked and set to --None--
    • Under Advanced --> IPsec --> IKE Authentication, set the Default Mode to XAUTH (Extended user authentication).  This is what forces a login prompt when users connect.  The checkbox here doesn't need to be checked.
    • Nothing else should need to be changed (from defaults) in any other pages.  Click OK, then test it using a VPN client!!!
  6. That's it.  Let me know if you run into any issues or have any suggestions!


2 comments:

  1. Awesome....I read a few tutorials online and couldn't quite get it to work for me. The IKE Authentication piece is what I was missing. Thanks so much for the information!

    ReplyDelete
  2. More detailed guide on using this program on this website. Follow the link.

    ReplyDelete