Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication



Similar documents
Configuring SSL VPN on the Cisco ISA500 Security Appliance

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

Configuring Sponsor Authentication

Chapter 3 Authenticating Users

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

netld External Authentication Setup Guide

Security Provider Integration RADIUS Server

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Configuring Global Protect SSL VPN with a user-defined port

DIGIPASS Authentication for Cisco ASA 5500 Series

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

DIGIPASS Authentication for GajShield GS Series

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Symbian User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.4

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

DIGIPASS Authentication for SonicWALL SSL-VPN

Management, Logging and Troubleshooting

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Single Sign-On in SonicOS Enhanced 4.0

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Easy and Secure Remote Access with Cisco QuickVPN

Single Sign-On. Document Scope. Single Sign-On

Cisco ASA Authentication QUICKStart Guide

Colubris TechNote. Testing and Troubleshooting Active- Directory. Revision 1.3 Mar Author: Dave Leger

If you have questions or find errors in the guide, please, contact us under the following address:

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

DIGIPASS Authentication for Check Point Security Gateways

Integrating LANGuardian with Active Directory

Using Cisco UC320W with Windows Small Business Server

Sample Configuration: Cisco UCS, LDAP and Active Directory

Fireware How To Authentication

IIS, FTP Server and Windows

PineApp Surf-SeCure Quick

Juniper SSL VPN Authentication QUICKStart Guide

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

SSL VPN Portal Options

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

WirelessOffice Administrator LDAP/Active Directory Support

Security Assertion Markup Language (SAML) Site Manager Setup

Configuring and Using the TMM with LDAP / Active Directory

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

HP Device Manager 4.7

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Managing Identities and Admin Access

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

Configuring Single Sign-on for WebVPN

DIGIPASS Authentication for Check Point Connectra

Scenario: IPsec Remote-Access VPN Configuration

How to Connect SSTP VPN from Windows Server 2008/Vista to Vigor2950

How to Join QNAP NAS to Microsoft Active Directory (AD)

Managing Users and Identity Stores

University of Central Florida UCF VPN User Guide UCF Service Desk

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

SSL SSL VPN

Remote Access Technical Guide To Setting up RADIUS

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

Strong Authentication for Juniper Networks SSL VPN

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

Integration Guide. Swivel Secure Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

User Identification and Authentication

LDAP User Guide PowerSchool Premier 5.1 Student Information System

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Configuring Avaya 1120E, 1140E, 1220 and 1230 IP Deskphones with Avaya IP Office Release 6.1 Issue 1.0

Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 1.0 (CSM 2100CF)

Security Provider Integration LDAP Server

How to Logon with Domain Credentials to a Server in a Workgroup

Global VPN Client Getting Started Guide

EMR Link Server Interface Installation

Version 9. Active Directory Integration in Progeny 9

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Chapter 9 Monitoring System Performance

Accessing the Media General SSL VPN

Content Filtering Client Policy & Reporting Administrator s Guide

User Management Guide

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

ZyWALL OTPv2 Support Notes

Strong Authentication for Cisco ASA 5500 Series

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Cisco RV 120W Wireless-N VPN Firewall

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Juniper ScreenOS

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Defender Token Deployment System Quick Start Guide

Transcription:

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication This application note describes how to authenticate users on a Cisco ISA500 Series security appliance. It includes these sections: Configuring Active Directory/LDAP Authentication Configuring RADIUS Server Authentication Troubleshooting For More Information User authentication is a way of identifying the user and verifying that the user is allowed to access restricted services. With authentication, a user can login to the network from any computer but can access only those resources for which they are authorized. You can configure the ISA500 as a local authentication server, or choose from one or more authentication server types such as the Lightweight Directory Access Protocol (LDAP), or RADIUS servers as shown here. Configuring Active Directory/LDAP Authentication The section describes how to configure the authentication using Active Directory through LDAP for the ISA500. It includes these sections: Configuring an Active Directory Server Configuring LDAP authentication Before you begin, download and install the Cisco AnyConnect Client. This client is used to establish the SSL VPN tunnels and provides users with a secure VPN connection to the ISA500. For more information, see: http://www.cisco.com/en/us/products/ps8411/tsd_products_support_series_home.html Configuring an Active Directory Server Active Directory (AD) is the Microsoft Windows-based application of an LDAP directory structure. Active Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level and keeps information and settings in a central, easy-to-access database. You can configure an Active Directory server so that SSL VPN Clients can authenticate to the ISA500 with their current network credentials. Figure 1 shows the ISA500 in an Active Directory topology. 2012 Cisco Systems, Inc. All rights reserved. Page 1 of 16

Figure 1 ISA500 in an Active Directory Topology Internal server ISA500 SSL VPN Client AD server 285388 NOTE Before you begin, make sure that the Active Directory server is configured and is working properly. Step 1. Configure an SSL VPN Group Policy. SSL VPN Policies give you control over which resources are accessed by certain SSL VPN groups and users. In this example, we created an SSL VPN Group policy SSLVPNPOLICY1 and added a new group ADGroup that share this same policy. a. Choose VPN > SSL Remote User Access > SSL VPN Group Policies. b. Specify a name for the new policy. For example: SSLVPNPOLICY1. c. Enter the Primary and Secondary DNS and WINS IP addresses. d. Click OK to save your settings. Step 2. Add a User Group. a. Choose Users > Users and Groups. b. Click Add. 2012 Cisco Systems, Inc. All rights reserved. Page 2 of 16

c. Enter a name for the user group. For example: ADGroup. d. Choose the group policy you just created from the SSL VPN drop-down menu. For example: SSLVPNPOLICY1. e. Click OK to save your settings. Step 3. Create an Active Directory domain. In the following example the Active Directory domain is shiner2008.org. 2012 Cisco Systems, Inc. All rights reserved. Page 3 of 16

Step 4. Create an account in the Windows Active Directory server. In the following example, an account was created named test that was assigned LDAP read privileges. Configuring LDAP authentication Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP is an openstandard protocol for using online directory services and operates with Internet transport protocols, such as TCP. You can use an LDAP server to authenticate your users with the ISA500. a. Select Users > Users Authentication. b. Choose LDAP from the drop-down menu and click Configure. 2012 Cisco Systems, Inc. All rights reserved. Page 4 of 16

I c. Specify the LDAP configuration settings IP Address: Enter the LDAP IP address of the Windows Active Directory server. Port Number: Enter the port number of the LDAP server. The default port number is TCP 389. Login Method: - If the LDAP server supports anonymous access, select the Anonymous Login option. - If you select Give Login Name or Location in Tree, enter the Login User Name and Login Password. The Login username must match the account name and have LDAP read privileges. - If you select Give Bind Distinguished Name, provide the full destination name explicitly to be used to bind to the LDAP server. In this example, the destination name is shown as: cn=test,cn=users,dc=shiner2008,dc=org. 2012 Cisco Systems, Inc. All rights reserved. Page 5 of 16

Protocol version: Choose the LDAP version from the drop-down list. Check your LDAP server for the version. Most LDAP servers, including Microsoft Active Directory, support LDAP version 3. Step 5. Click the Schema tab. The following example shows the Microsoft Active Directory Schema with the default values applied. 2012 Cisco Systems, Inc. All rights reserved. Page 6 of 16

Step 6. Step 7. Click OK to save your settings. Click the Directory tab. Step 8. Enter the following information: Primary Domain: Input the user domain. All domain components use dc=. In this example the primary domain is: dc=shiner2008,dc=org User tree for Login to Server: Specify the user tree that is used to log into the LDAP server. You can only edit this option if you choose Give Login Name or Location in Tree in the Settings tab. Step 9. Click the LDAP Users tab. 2012 Cisco Systems, Inc. All rights reserved. Page 7 of 16

Step 10. Enter the following information: Allow Only Users Listed Locally: Click On to allow only the LDAP users who also are present in the local database to login. Choose Users > Users and Groups to view the local database configuration. Default LDAP User Group: Choose a local user group as the default group to which the LDAP users belong. If the group does not exist in the local database when retrieving the user group information from the LDAP server, the LDAP user is automatically set to the specified local user group. Step 11. In the Test tab, enter the user s credentials in the User and Password fields. Step 12. Click OK to save your settings. Step 13. To verify whether the LDAP user is valid, click Test. 2012 Cisco Systems, Inc. All rights reserved. Page 8 of 16

You can now use the Cisco AnyConnect VPN Client to establish SSL VPN tunnels. For information about SSLVPN, refer to the application note, Configuring SSLVPN on the Cisco ISA500 Security Appliance at: www.cisco.com/go/isa500resources. After the tunnel is established, verify the connection from the Status > VPN Status > SSL VPN Status page. This example shows the session information for the VPN client. 2012 Cisco Systems, Inc. All rights reserved. Page 9 of 16

Configuring RADIUS Server Authentication RADIUS (Remote Authentication Dial-In User Service) authenticates local and remote users on a network. RADIUS is a client/server system that stores the authentication information for users, remote access servers, VPN gateways, and other resources in one central database. You can use a Cisco Secure Access Control Server (ACS) or FreeRADIUS as the RADIUS server. Figure 2 shows the ISA500 in a RADIUS server topology. NOTE Before you begin, make sure that the RADIUS server is configured and is working properly. Figure 2 ISA500 in a RADIUS Server Topology Internal server ISA500 SSL VPN Client RADIUS server 285389 Step 1. Step 2. Configure an SSL VPN Group Policy SSLVPNPOLICY1 and add a new group RADIUSGroup that share this same policy. These steps are identical to the Active Directory server steps 1 and step 2 on page 10. Specify the user authentication method. a. Select Users > Users Authentication. b. Choose RADIUS from the drop-down menu and click Configure. 2012 Cisco Systems, Inc. All rights reserved. Page 10 of 16

c. Specify the RADIUS configuration settings RADIUS Server Timeout: Enter the number of seconds that the connection is active before reauthentication is required. This value depends on your network connection. The default value is 3 seconds. Retries. Enter the number of times that the security appliance will try to resend the authentication message. RADIUS Servers: Choose the number of RADIUS user groups. You can have up to three groups (Group 1, Group 2, and Group 3). Primary Server: Enter the RADIUS server IP address, port number and shared secret information. Secondary Server: If applicable, enter the IP address, port number and shared secret information for the secondary RADIUS server. d. Click OK to save your settings. 2012 Cisco Systems, Inc. All rights reserved. Page 11 of 16

Step 3. Click the RADIUS Users tab and specify the user information. Allow Only Users Listed Locally: Click On to allow only the RADIUS users (who also are present in the local database) to log in.. Mechanism for Setting User Group Memberships for RADIUS Users. Choose one of the following: - Use RADIUS Filter-ID: Finds the user group information by using the Framed-Filter-ID attribute from the RADIUS server. The FreeRadius server uses attribute Framed-Filter-Id. For ACS Setup, see: http://www.cisco.com/en/us/products/sw/secursw/ps2086/ index.html. - Local Configuration Only: Finds the user group information from the local database only. If the RADIUS server does not return a Filter-ID, choose this option. You will also need to add the users to the groups in the local database (See Users > Users Authentication). Default User Group to Which All RADIUS Users Belong: If the RADIUS server does not return the group name or if the group does not exist, you can add the user to this configured group. You can also choose None for security purposes. Step 4. Click the Test tab and enter the user s credentials in the Username and Password fields. Then click the Test button to verify whether the RADIUS user is valid. 2012 Cisco Systems, Inc. All rights reserved. Page 12 of 16

Step 5. Click OK to save your settings. You can now use Cisco AnyConnect to establish the SSL VPN tunnels. Troubleshooting This section contains information that helps you resolve problems you might encounter when configuring the SSL VPN configuration. If Logging is enabled on the security appliance (Device Management > Logs > Log Settings), you can use the information in the syslogs for troubleshooting purposes. Why can t I authenticate 802.1x clients with an Active Directory server? Only a RADIUS server can be used for 802.1x authentication. An Active Directory server and the local user database is not supported. Web Login, SSL VPN, IPsec Remote Access, and Captive Portal can use either an external Active Directory or a RADIUS server or a local database. Where should the Active Directory or RADIUS server be located, on the WAN side or the LAN side? Either side, as long the server is reachable from the ISA500. Besides Microsoft Active Directory server, what else can I use as an LDAP server? The ISA500 supports three LDAP schemas; Microsoft Active Directory, RFC 2307 and RFC 2798. You can also use OpenLDAP (http://www.openldap.org/) or any other LDAP server which support these schemas. 2012 Cisco Systems, Inc. All rights reserved. Page 13 of 16

Why is my AD/RADIUS server unreachable? When I check the user logs, it shows the following information: Verify that the IP address and port number of the server is working properly. If you entered the wrong login username or password in the LDAP Setting page, the Logs page shows the following error: What happens if I enter the wrong username and password for the SSL VPN client? The Logs page is showing the user as invalid. To troubleshoot the problem, verify that the username and password for the SSL VPN client and Authentication server match. 2012 Cisco Systems, Inc. All rights reserved. Page 14 of 16

For RADIUS authentication, you can also enable debug level logs to help troubleshoot. For instance, if you enter the wrong password for the SSL VPN client, the Log Data returns a response code. In the following example, the RADIUS response code 2 means Access-Accept. RADIUS response code 3 means Access-Reject. How can I verify that the LDAP or RADIUS settings are correct? a. Select User > User Authentication. b. Choose either LDAP or RADIUS. In the Test tab enter the user s credentials in the Usename and Password fields. c. Click OK to save your settings and then click Test to verify if the user is valid. If the authentication is successful but SSLVPN does not establish the tunnel, it may mean that the AD/RADIUS server returned the wrong group name. Check the AD/RADIUS server to verify that it returned the correct group name for the authenticated user, or specify a valid default user group to which all RADIUS users belong. See page 12 for more information. How do I know that the authentication was successful? When an VPN tunnel is established and user authentication is successful, the Logs page returns a success message. In the following example, the highlighted log shows users from=sslvpn. It might also show users from=captive portal, or users from=weblogin, depending on which module initiates the authentication. 2012 Cisco Systems, Inc. All rights reserved. Page 15 of 16

For More Information Product Resources Product Documentation Cisco Small Business Support Community Cisco Small Business Support and Resources Phone Support Contacts Firmware Downloads Cisco Partner Central for Small Business (Partner Login Required) Cisco Small Business Home Location www.cisco.com/go/isa500resources www.cisco.com/go/smallbizsupport www.cisco.com/go/smallbizhelp www.cisco.com/go/sbsc www.cisco.com/go/isa500software www.cisco.com/web/partners/sell/smb www.cisco.com/smb Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2012 Cisco Systems, Inc. All rights reserved. 78-20879-01 2012 Cisco Systems, Inc. All rights reserved. Page 16 of 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information