Wednesday, February 27, 2008

Configuring AAA for SSL VPN on the Cisco ASA, v8.0(3)

AAA for Easier Administration
by Mark Lambiase
Note: This configuration was performed on a 5505 running 8.0(3)

Now that we have an SSL VPN that we can access, we are going to want to start adding functionality to it so that people can actually use it for something. The problem is we do not want to have to add every person’s account to the ASA. It would be much better to leverage an existing authentication database where all of these accounts already exist.

We are going to configure the ASA to make LDAP calls against a Microsoft Active Directory next. AD is pretty common out there, so it is a good one to describe, and integration is pretty easy.

We will need to:
1) Create a AAA Server Group;
2) add a server to the Group;
3) bind the AAA Server Group to the Connection Profile.

Create the AAA Server Group
Like other configurable components in the ASDM, there is more than one place where this can be configured. This particular example uses the menu from Device Management > Users/AAA > AAA Server Groups.

The first step is to click on ‘Add’ next to the ‘AAA Server Groups’ table at the top. Give the Server Group a name. Pick the protocol you are going to use. Click OK.

Add a Server to the Group
Once the Group is created we can add a server:

To add the server you have a have a fair bit of information. I prefer to run LDAP over SSL, but not everyone will have their domain set up to support that. We won’t go in to how to set that up, but basically you need to install a certificate on the domain controller, and secure LDAP will be enabled. On the ASA side all you do is check the box (it will automagically change the Server Port for you). Secure LDAP is required if you want to allow for password management from the web portal. This feature will allow for passwords to be changed before they expire. A great feature, configured in the Group Policy, so we will move on.

An account is required for the LDAP session to connect to the server. You can see in the above screen-shot that I used an administrator account, but this is not necessary. A user account, or an account set up just for the ASA, can be used in the LDAP settings. You can even set up an account with read-only privileges for the ASA’s LDAP authentication, but with read-only rights password management will not be possible.

More than one server can be added to a AAA Server Group, for redundancy. We will limit our example to one server, though.

Once you have the AAA server configured the ASA has a test function. You can test authorization or authentication from the ASA. Authorization will check to see if an account is active and authentication will submit the username and password.

When you send a test to the LDAP server there are a number of responses that can come back.

The following error was generated because the IP address of the LDAP server was set incorrectly:

The next error was returned because the password for the account that makes the LDAP call was set incorrectly:

This error was returned when I sent a username that did not exist in the LDAP database:

And this one is from submitting a username that had been disabled in AD:

Of course, it will tell you if the test was successful, too.

Bind the AAA Server Group to the Connection Profile
Once the AAA Server Group, and the Server, are created they are available for use.

The AAA Server Group is configured in the Connection Profile (Remote Access > Network (Client) Access > SSL VPN Connection Profiles). We are going to bind the newly created group entry to the DefaultWEBVPNGroup.

You can choose whether to allow authentication to fall back to LOCAL users if the connection to the AAA Server Group fails. This means you (as the administrator, and presumably with a LOCAL account), should still be able to get in, but not the average person who only has an account in AD.

Note the nifty new authentication option: ‘Both’.

Using AAA plus certificate authentication is a nice plus. If you can manage the certificate deployment it can prove to be a great way to enable strong, two-factor authentication. Oh, by the way, did you know that MultiFactor’s SecureAuth can do this for you, and it integrates flawlessly with the Cisco ASA SSL VPN, if you are using 8.x code.

Copyright 2008. MultiFactor Corporation. All Rights Reserved.
SEO Services & Blog Design by