Most often we Cisco-guys uses radius or tacacs when we are about to do authentication of users. But did you know that doing authentication from VPN to a user-database in an Active Directory doesn´t require IAS, ACS or any third party software at all. In fact there are multiple ways in ASA to talk to AD built-in.
I have tried them in my home lab by using an ASA firewall and a Windows 2003 Server with Active Directory installed.
LDAP
aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host 192.168.1.51
ldap-base-dn CN=Users,DC=kvistofta,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=admin,CN=Users,DC=kvistofta,DC=local
server-type microsoft
Verification:
FW(config)# test aaa authen KERBEROS host 192.168.1.51 username vpnuser passwo$
INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds)
INFO: Authentication Successful
FW(config)# test aaa authen LDAP host 192.168.1.51 username vpnuser password 1$
INFO: Attempting Authenticatio
[75] Session Start
n test to IP address <192.168.1.51> (timeout: 12 seconds)
[75] New request Session, context 0xd5954260, reqType = 1
[75] Fiber started
[75] Creating LDAP context with uri=ldap://192.168.1.51:389
[75] Connect to LDAP server: ldap://192.168.1.51:389, status = Successful
[75] supportedLDAPVersion: value = 3
[75] supportedLDAPVersion: value = 2
[75] Binding as administrator
[75] Performing Simple authentication for admin to 192.168.1.51
[75] LDAP Search:
Base DN = [CN=Users,DC=kvistofta,DC=local]
Filter = [sAMAccountName=vpnuser]
Scope = [SUBTREE]
[75] User DN = [CN=vpnuser,CN=Users,DC=kvistofta,DC=local]
[75] Talking to Active Directory server 192.168.1.51
[75] Reading password policy for vpnuser, dn:CN=vpnuser,CN=Users,DC=kvistofta,DC=local
[75] Read bad password count 0
[75] Binding as user
[75] Performing Simple authentication for vpnuser to 192.168.1.51
[75] Processing LDAP response for user vpnuser
[75] Authentication successful for vpnuser to 192.168.1.51
[75] Retrieved User Attributes:
[75] objectClass: value = top
[75] objectClass: value = person
[75] objectClass: value = organizationalPerson
[75] objectClass: value = user
[75] cn: value = vpnuser
[75] givenName: value = vpnuser
[75] distinguishedName: value = CN=vpnuser,CN=Users,DC=kvistofta,DC=local
[75] instanceType: value = 4
[75] whenCreated: value = 20100706114926.0Z
[75] whenChanged: value = 20100706114926.0Z
[75] displayName: value = vpnuser
[75] uSNCreated: value = 13726
[75] uSNChanged: value = 13731
[75] name: value = vpnuser
[75] objectGUID: value = ..1....O.c.v....
[75] userAccountControl: value = 66048
[75] badPwdCount: value = 0
[75] codePage: value = 0
[75] countryCode: value = 0
[75] badPasswordTime: value = 0
[75] lastLogoff: value = 0
[75] lastLogon: value = 129228917453688826
[75] pwdLastSet: value = 129228905663476095
[75] primaryGroupID: value = 513
[75] objectSid: value = .............LP...r{..."S...
[75] accountExpires: value = 9223372036854775807
[75] logonCount: value = 5
[75] sAMAccountName: value = vpnuser
[75] sAMAccountType: value = 805306368
[75] userPrincipalName: value = vpnuser@kvistofta.local
[75] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=kvistofta,DC=local
[75] Fiber exit Tx=547 bytes Rx=2053 bytes, status=1
[75] Session End
INFO: Authentication Successful
FW(config)#
KERBEROS
aaa-server KERBEROS protocol kerberos
aaa-server KERBEROS (outside) host 192.168.1.51
kerberos-realm KVISTOFTA.LOCAL
Verification:
FW(config)# test aaa authen KERBEROS host 192.168.1.51 username vpnuser passwo$
INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds)
kip_lookup_by_sessID: kip with id 76l not found
Kerberos library reports: "Additional preauthentication required"
INFO: Authentication Successful
FW(config)#
NT Domain
aaa-server NT (outside) host 192.168.1.51
nt-auth-domain-controller kvistofta
Verification:
FW(config)# test aaa auth NT host 192.168.1.51 username vpnuser password 1qaz!$
INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds)
smb_iod_request :
smb_iod_process_message :
smb_iod_negotiate : iod_state = No connect
smb_iod_negotiate : tcreate
smb_iod_negotiate : bind
smb_iod_negotiate : tconnect
smb_iod_addrq :
smb_iod_sendrq : iod_state = transport active
smb_iod_waitrq :
smb_iod_removerq :
smb_iod_negotiate : completed
smb_iod_process_message :
smb_iod_thread : going to sleep for 2 secs 0 nsecs
smb_iod_process_message :
smb_iod_thread : going to sleep for 2 secs 0 nsecs
smb_iod_request :
smb_iod_process_message :
smb_iod_ssnsetup : iod_state = unknown stat(3)
smb_iod_addrq :
smb_iod_sendrq : iod_state = unknown stat(4)
smb_iod_waitrq :
smb_iod_removerq :
smb_iod_ssnsetup : completed
smb_iod_process_message :
smb_iod_thread : going to sleep for 2 secs 0 nsecs
smb_iod_process_message :
smb_iod_thread : going to sleep for 2 secs 0 nsecs
Connected to VPNUSER
smb_iod_request :
smb_iod_process_message :
smb_iod_addrq :
smb_iod_sendrq : iod_state = session established
smb_iod_waitrq :
smb_iod_removerq :
smb_iod_process_message :
smb_iod_thread : going to sleep for 2 secs 0 nsecs
smb_iod_request :
smb_iod_process_message :
INFO: Authentication Successful
FW(config)#
