Remote access VPN services can be of great benefit for many organizations. Whether a road-warrior or simply working from home, the services help a workforce stay connected no matter where they happen to be located.
As soon as more than a few users begin using remote access VPN capabilities, administration of the accounts stored locally on the firewall can get cumbersome. Using Active Directory for VPN client authentication can ease the user account administration. Before starting with configurations, the following are needed:
- The IP address of the Active Directory server the firewall will poll
- Login access to the AD/LDAP server
- Username/password credentials on the server that have enough privileges to query other users
- For the purposes of this guide, a Cisco ASA running on version 8.0 at minimum
- Privilege 15 credentials on the ASA
- VPN Client for testing and deployment
- Login to the Active Directory server. Next, open “Active Directory Users and Computers” under Administrative Tools. Select Users:
- Right-click on a user that has privileges to query other AD users (could be the admin account). Select “Properties”. Next select the “Attribute Editor” Tab:
- Scroll down until you see “distinguishedName”. Select this line, then click the “View” button.Depending on AD group configuration, the information in the “Value:” field will vary. The key point here is to copy the information however it is depicted in your environment. It will be used later to configure the Cisco ASA. This is all the information we need from the server. Click “Cancel” on all windows to avoid any unnecessary changes.
- Login to the Cisco ASA with Command Line (CLI) access. Configure as follows:
!--Enter configuration modeciscoasa#configure terminal !--Item in CAPS can be named to you liking. Take note of the name as it will be used for reference later ciscoasa(config)#aaa-server LDAP_SRV_GRP protocol ldap !-- Be sure to change the IP address to the address of your AD server ciscoasa(config-aaa-server-group)#aaa-server LDAP_SRV_GRP (inside) host 192.168.1.2 !-- Using the information gathered from the server previously, change the 'DC' fields as required ciscoasa(config-aaa-server-host)#ldap-base-dn dc=______, dc=_____ !-- Using the information gathered from the server previously, enter the full line of data from the account that will be used to query authentication requests. Be sure to leave the 'ldap-login-dn' configuration item. ciscoasa(config-aaa-server-host)#ldap-login-dn CN=test,OU=_______,OU=_______,OU=_______,DC=_______,DC=_______ !-- Enter the password of the account referenced above ciscoasa(config-aaa-server-host)#ldap-login-password ********** ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName ciscoasa(config-aaa-server-host)#ldap-scope subtree ciscoasa(config-aaa-server-host)#server-type microsoft ciscoasa(config-aaa-server-host)#exit !--- Configure the tunnel group to use the new AAA setup. ciscoasa(config)#tunnel-group ExampleGroup2 general-att ciscoasa(config-tunnel-general)#authentication-server-group LDAP_SRV_GRP
- Test the functionality with the command:
ciscoasa#test aaa-server authentication LDAP_SRV_GRP host 192.168.1.2 username _____ password ______
If unsuccessful, confirm the ‘dn’ strings are configured as necessary. Also, be sure the ASA has appropriate connectivity to the AD server.
- Next, open the Cisco VPN client
- Click the “New” button and enter configuration details. Be sure the “Name:” field matches the tunnel-group configuration of the ASA. Although not covered, the password field will be any Pre-Shared Key that was configured for the tunnel. Click “Save” after appropriate fields are configured.
- Export the new profile and distribute to users. Typically, the profiles are stored here: C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles Assuming users already have the VPN client installed, the .pcf file can be simply copy and pasted into an email for distribution. They will have to save the file then import it using the VPN client software.
When a user attempts to use this new profile, they will be prompted for the username and password. Using their AD credentials should now grant them the access needed.