Recommendations for VPN authentication
So, now that Cisco has helped me get the vpn works on my ASA 5525-X I need to use an active administrator for the authentication/grouping of customers for several profiles in anyconnect.
My question is what is the simpler and more effective way of setting this up. I have a R2 2012 NAP server that is used to authenticate the AD users for access to the switches. But should I use that for ASA as well or can I use AD directly to the ASA?
A reminder to those who have not seen my posts, I'm very new to the ASA and the need to get this up and running quickly... Any help/suggestions would be greatly appreciated.
Thank you
Stacey
Hi Stacey,
You can use the Windows Server direct to the ASA, it uses the LDAP protocol. You will need to implement the ASA like this:
AAA-Server LDAP-SRV protocol ldap
AAA-Server LDAP-SRV (inside) host XXXXXXXXX--> IP address of the server
LDAP-base-dn DC = vpn, DC = also, DC = com--> where users are stored
LDAP-connection-dn CN = ASA-LDAP-user, CN = Users, DC = vpn, DC = also, DC = com--> the entire AD tree.
LDAP-login-password *--> the administrator password
LDAP-naming-attribute sAMAccountName
LDAP-scope subtree
microsoft server type
Now, you need to get the login DN: and the base dn. Now on the ad, you need to create several user groups and divide the users for different levels of authorization as: salespeople, employees...
You can test the authentication by using this command:
test the aaa server for authentication LDAP_SRV host XXXXXX username: password XXXXX: XXXX
and then see if it fails, then you can solve the problem
You can then configure the mapping of LDAP attributes to MAP a group of users on the server of advertising to a group policy on the SAA.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
I would like to know how it works!
Please don't forget to rate and score as correct the helpful post!
David Castro,
Kind regards
Tags: Cisco Security
Similar Questions
-
Hello
I would like to ask a few details & concerns on our existing VPN configuration.
1. What is the Cisco VPN client recommended for users of Windows 7 and 8? Is there an official documentation for this Cisco? We currently use customer VPN Ciso 5.0.7.
2. we are running IPSEC VPN with only 1 gateway & only local authentication (No ACS) for our client. Recently, we have some concerns that they are the VPN connection is down. Whereas if I'm the one connected to the VPN, my connection is stable. Is there any point that we must consider up in the network. Is there a better configuration or solution that we could recommend to the customer as SSL VPN?
3. If you want to use SSL VPN anyconnect secure mobility & we want to implement redundancy on the FW, how will the license work?
Thank you!
An AnyConnect-based VPN is the replacement recommended for remote IPsec VPN access. (source)
AnyConnect can use SSL or IPsec (IKEv2) for transport.
For an ASA redundant firewalls (running 8.3 (1) or later) any permit required AnyConnect are shared between them. that is, you just buy licenses for a member of the HA pair. (source)
-
Traffic permitted only one-way for VPN-connected computers
Hello
I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?
Pool DHCP-192.168.250.20 - 50--> for LAN
Pool VPN: 192.168.250.100 and 192.168.250.101
Outside interface to get the modem DHCP
The inside interface: 192.168.1.1
Courses Running Config:
: Saved
:
ASA Version 8.2 (5)
!
hostname HardmanASA
activate the password # encrypted
passwd # encrypted
names of
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.250.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
pager lines 24
Within 1500 MTU
Outside 1500 MTU
mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 192.168.250.0 255.255.255.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.250.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH 192.168.250.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.250.20 - 192.168.250.50 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: end
Hello
No worries
As we change the config I would do as well as possible.
First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network
No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask
mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool
NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0
NAT (inside) 0-list of access NAT_0
Then give it a try and it work note this post hehe
-
AAA for VPN - Kerberos, LDAP or an NT domain?
All,
After that a small return on what you think is the best method for AAA authentication for VPN clients when authenticating against a Windows domain for remote access?
I have always used "NT Domain" because it seems to correspond roughly to the NT Auth I used to use on the old hubs. However, I (finally) decided to take a look at the Kerberos and LDAP, since they must have been added for a reason...
Far as I can tell LDAP adds the ability to search a little more finely (basic DN) AD, but that's all. Am I missing something? Are there more reason to use LDAP or Kerberos domain auth?
What is more reliable? That you guys use?
See you soon!
Either it is reliable, you can map users in different group policies or apply different DAP political, based on their belonging to a group. If you are basic authentication, then your method is still the best way to go.
Thank you
Tarik Admani
* Please note the useful messages *. -
LOCAL + RSA VPN authentication?
Hi... we have a customer using an ASA 5520 8.2 (2) for VPN (webvpn) connections. Currently, they use the user/pass configured locally for authentication (it's a default, there is no explicit LOCAL configuration).
They would use their RSA security device, but not for all users at once. Is it possible to use the local database and RSA as points of authentication, i.e. If there is no configured local user name, try the RSA (or vice versa)?
Thank you
Jim
The ASA can do that natively the emergency authentication being quite limited on the SAA. Two possibilities are there to solve this:
(1) use an external server which can chain these authentication stores (ACS or ISE may be used). But it is a rather expensive solution.
(2) build more tunnel-groups with different authentication settings and ask your users to use a particular.Sent by Cisco Support technique iPad App
-
Recommendation for installation of small business
I have a small remote site that is running two physical servers. No server is too active and both were installed in 2002 and need to be retired. I'll migrate physical servers and put them on VMware. I think it makes sense to have two servers low range and replcation backward them. I'm looking for recommendations for setting this up as economically as possible.
On another similar site, here's what I did: have two servers, both with a quad core processor each and both with
internal readers 10 SATA RAID. Both running ESX 3.5 Foundation. I have
Veeam Backup and replication to replicate back between the
two servers. That is, four total VM = will execute two on each server and
replicate back. If a server fails, the other server will be
Run all four VMs. I did all of this for about $9 k.
Is there another approach in this ball park which makes more sense? Any suggestions are appreciated.
Hello
I set up an office in a box and use one of the tools of Veeam backup, vRanger connection, PhD virtual and remote to the local office backup desktop every night. This way if there is a problem all that send you them is a new box with all their data restored. Or restore you it if necessary. For only 2 virtual machines, replication between two hosts at the remote office looks like a bit more to kill.
If the host dies you have them replicated to the local office and people can use a VPN to access the data in an emergency. 1 host with a NAS for local backup also sounds pretty good.
It's more a problem of backup/DR/business continuity and you can watch from the perspective of these tools.
Best regards
Edward L. Haletky VMware communities user moderator, VMware vExpert 2009, url = http://www.virtualizationpractice.comvirtualization practical analyst [url]
"Now available: url = http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security' VMware vSphere (TM) and Virtual Infrastructure Security: securing the virtual environment ' [url]
Also available url = http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise"VMWare ESX Server in the enterprise" [url]
[url =http://www.astroarch.com/wiki/index.php/Blog_Roll] SearchVMware Pro [url] | URL = http://www.astroarch.com/blog Blue Gears [url] | URL = http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links Top security virtualization [url] links | URL = http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast Virtualization Security Table round Podcast [url] -
What is the display screen color recommended for fine arts
I need to send pictures of my works so, what color recommended for my screen?
Each monitor will interpret according to local settings of RGB. LCD monitor displays colors in this way, by combination of red, green and blue LEDS (light emitting diodes). It is an additive color model in which Red, green and blue are added together in various ways to reproduce a wide range of colors.
You have no control over other peoples screens settings
Make it look good on your is the best you can do.
If you want to print CMYK is a subtractive color model, used in color printing, which you have control of the finished product.
-
I get a "recommended for you" popup even if I ran antivirus programs and malware and they say they took their.
I have also audio play when I connect to some sites, even if only one tab is open.The reset Firefox feature can solve a lot of problems in restaurant Firefox to its factory default condition while saving your vital information.
Note: This will make you lose all the Extensions, open Web sites and preferences.To reset Firefox, perform the following steps:
- Go to Firefox > help > troubleshooting information.
- Click on the button 'Reset Firefox'.
- Firefox will close and reset. After Firefox is finished, it will display a window with the imported information. Click Finish.
- Firefox opens with all the default settings applied.
Information can be found in the article Firefox Refresh - reset the settings and Add-ons .
This solve your problems? Please report to us!
-
Recommendations for the best 3D modeling App / program?
Does anyone have a recommendation for the best 3D modeling application / program?
(More for the creative rather than animation games and computer work)
Thank you
Hello
I love Autodesk Inventor, but you need to use BOOTCAMP or VMWare/Parallels to run it because it only works with Windows.
See you soon,.
Adam
-
Recommendations for a good cleaner liquid screen and type/brand of cleaning rags?
Recommendations for a good cleaner liquid screen and type/brand of cleaning rags?
Or are the wipes of alcohol okay? (Like what you get in a closed container and pass through a hole on top)?
The safest method of cleaning of the screen is to use a thin rag (glasses cleaning cloth) moistened with distilled water. NO ALCOHOL.
I used successfully:
http://www.Windex.com/en-us/products/pages/electronic-cleaner-and-wipes.aspx
Ciao.
-
Recommendations for a password manager App / extension safari?
Someone at - it recommendations for a password manager App / extension safari?
"1Password" seems to be very well rated, but is quite expensive for what it does.
Is there something cheaper that works as well or nearly so?
Thank you
One possibility is the iCloud integrated Apple's Keychain: frequently asked questions about iCloud Keychain - Apple Support
I don't use it myself but only because I need something that works also on Windows and OS X and iOS. I use Dashlane because it's that good: https://www.dashlane.com/
-
What are some recommendations for software for business presentations?
What are some recommendations for applications software for business presentations? I want to organize slides (with visuals and language). I would also like to be able to create folders of files. I searched and have not found any. Thanks in advance for suggestions.
Microsoft PowerPoint (version 2016) - paid or with subscriptions
Keynote (made by Apple) - free
-
Satellite A300 - 25 k - BIOS v2.00 is recommended for Win7?
It's the bios v2.00, published on 11-04-09 and the win7 drivers, recommended for the upgrade of the a300 - 25 k (psagce) of windows 7?
Improvements and benefits are not described on the download Web site. :-(
Reports on the pros and cons of the bios v2.00 or experiences so far?
Just FYI: on my Satellite A300-1LI, I still 1.40 and Win7 works perfectly.
In any case, I think I'll update of the BIOS in coming days. -
What is the recommended for El Capitan recovery process?
What is the recommended for El Capitan recovery process?
I just upgraded directly from Mountain Lion, and I see that my recovery disc has disappeared. My recovery disk wizard is only good for Lion and Mountain Lion. I searched Apple.com and found a complicated process by which I could use the Console and create a bootdisk with the option reinstall, but I can't believe that this is the recommended option for a common user?
So is time machine bygones? I noticed that it is dimmed in the Menu bar?
Certainly, you can restore El Capitan as you would with any other version of OS X - using the HD Recovery. I have no idea why your Recovery HD disappeared. Usually this would cause by user error. However, you can create a standalone install OS X on a USB FlashDrive for emergency use. This has been an option because at least Mavericks:
Do your own installation of El Capitan using the El Capitan tool flash drive:
You can create an installer of flash of El Capitan via the Terminal drive. El Capitan has its own manufacturer Installer integrated that you use via the Terminal:
You'll need a freshly partitioned and formatted at least 8GBs. USB flash drive leave the name of the flash drive on the system by default, "Untitled." Do not change this name. Wait as the full process that will take some time.
Open the Terminal in the Utilities folder. Copy and paste the following line in its entirety in the Terminal window.
sudo/Applications/Install\ OS\ El\ Capitan.app/Contents/Resources/createinstallmedia--volume/Volumes/Untitled--applicationpath X\ "/ Applications/install OS X El Capitan.app.
Press RETURN, enter the admin password (will not resonate to the window) then press RETURN again.
You must have setup in your Applications folder or change the paths in the command line above.
You can do the same thing for Yosemite by making the appropriate substitute for the installer in the above command line:
Make your own Yosemite flash Installer drive using the tool of Yosemite:
You can create an installer of the Yosemite via the Terminal flash drive. Yosemite has its own manufacturer Installer integrated that you use via the Terminal:
You'll need a freshly partitioned and formatted at least 8GBs. USB flash drive leave the name of the flash drive on the system by default, "Untitled." Do not change this name. Wait as the full process that will take some time.
Open the Terminal in the Utilities folder. Copy and paste the following line in its entirety in the Terminal window.
sudo/Applications/Install\ OS\ Yosemite.app/Contents/Resources/createinstallmedia--volume/Volumes/Untitled--applicationpath/Applications/Install\ OS\ Yosemite.app X\ X\
Press RETURN, enter the admin password (will not resonate to the window) then press RETURN again.
You must have setup in your Applications folder or change the paths in the command line above.
In addition, to Yosemite and earlier you can try using DiskMaker X.
-
Recommendation for a laptop bag that is suitable for Qosmio X 770
Anyone have recommendations for a laptop bag that fits one a 770 X.
One that I found before is not very good and don't have much padding the bottom round and sat my bag lpatop on the ground with the laptop in it, I happened to sit it ona Pierre broken the fan cover.
I'm looking for a bag style backpack with decetn padding to protect this fragile/expensive beasty.
Thank you
Graeme
In my view, a common laptop back to laptop computer with 17.3 poster should be good enough.
I m using a backpack for laptop and I quite happy with m.
Maybe you are looking for
-
small beetle in my macbook pro retina early 2015 LED backlit
Today, when I work with my macbook, I saw a small beetle run under the cover glass of the LED backlit screen. Instantly I stop my macbook then expect to miss him the backlit screen, but he stuck in there and it seems dead in this position. What can I
-
I want to be able to change the sort order of the items, I already looked in the search box. I want to be able to hit the arrow key down and see my previous searches in order of last search showing the first. For the moment, I don't know how it is so
-
I have a bunch of text (possibly code) on my video screen that covers the face of the person with whom I speak.Screenshot available.
-
One or two sites that I visit regularly, have today been redirected to the search page of Dell with the message Sorry, we couldn't find http://altfarm.mediaplex.com/ad/fm/5...-11000-0%3Fmpt. This has happened in the past, but not as bad as today. The
-
Hello Is it possible to get a notification that my Pin message has been delivered? Or should I query all messages and check their articles for Message.Status.TX_DELIVERED? Best regards.