ASA+ANYCONNECT+LDAP AUTH

alessandro.dona · ‎03-10-2017

Hi Guys,

i should create a remote access (anyconnect) using mixed local and LDAP authentication.

Some user should authenticate using local credentials Others using LDAP credentials.

I have a couple of question:

1) Can I force ASA to chech LDAP adn the if user doen not exist check local database?

2) How can i map user in LDAP with a connection profile?

Regarsd

Marvin Rhoads · ‎03-10-2017

You cannot fail over from one authentication type to another. You have to make two connection profiles, one for each authentication type.

The VPN Wizard in ASDM will walk you through t the necessary steps.

alessandro.dona · ‎03-10-2017

Hi Marvin,

thank you for your kindly reply.

I know i have to create two profile and i did it.

My problem is ASA always check local database and in order to match AD i have to use Aliase and flag "allow user to select connetcion profile, identified by its alias"

Is it the only way?

May i force ASA to check LADP and not LOCAL dor web auth?

Regards

alessandro

Marvin Rhoads · ‎03-10-2017

Generally a given connection profile (aka tunnel goup) uses one kind of authentication. (althought we can also opt to use two factor authentication - we are not considering that here).

If you want to have some users use LDAP and other users to use local authentication (username and password predefined on the ASA) then you need two separate conneciton profiles.

When I do this, I normally make the one used by the majority of users show up at the top of the drop down list by giving it a name like "1 - Employee VPN". We can then call the other something like "2 - Admin VPN".

The profile setup for LDAP authentication is described in many documents. Here is a good one from a Cisco engineer:

https://supportforums.cisco.com/document/9879156/configure-anyconnect-ldap-authentication

For your second profile just give it a local authentication type and its own unique name.