I will describe how to setup RSA SecurID Access Identity Router (IDR), LDAP, Cisco ASA's Remote Access VPN (AnyConnect) to perform Authentication via IDR's RADIUS server and Authorization via LDAP (Active Directory). The finished configuration will have two Tunnel Groups one called Employees other Contractors. Employees will have full network access and Contractors will have limited access to internal network. Contractors won't be able to login into Employees tunnel group and vice versa.
The reason for this is currently IDR doesn't support multiple RADIUS profiles and mapping custom RADIUS class attributes e.g. (Class[M] - OU=Employees;) to certain AD groups.
This HOWTO is valid until we get proper implementation via multiple RADIUS profiles: SecurID Access RADIUS Profile mapped to AD Group
- Cisco ASA OS: 9.6(4)8
- Cisco ASDM 184.108.40.206
- RSA SecurID IDR: 220.127.116.11.1
- Cisco Anyconnect: 4.5.04029
1. Create two AD groups in your domain controller and add users to them who would like to have remote VPN access.
2. Connect to Cisco ASA via CLI (SSH) and create LDAP mapping:
ldap attribute-map GROUP_BIND
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPNemployees,OU=Groups,OU=examaple,DC=net Employees
map-value memberOf CN=VPNcontractors,OU=Groups,OU=example,DC=net Contractors
3. Add first LDAP (domain controller server) that we will use for authorization. You can also add the second one for HA:
aaa-server VPN_LDAP (inside) host 10.0.2.3 <-- replace with IP of your domain controller
server-port 636 <-- we are using SSL to connect to DC
4. Add IDR RADIUS server that we will use for authentication. You can also add the second one for HA:
aaa-server IDR_RADIUS protocol radius
aaa-server IDR_RADIUS (inside) host 10.0.2.4 <-- replace with MGMT IP of your IDR router interface
timeout 120 <-- make sure its set to 120 sec or else it won't work.
authentication-port 1812 <-- port must be 1812 or else it won't work.
4.1 Configure IDR RADIUS following this document: Add a RADIUS Client for the Cloud Authentication Service
5. Configure remote access VPN (Cisco AnyConnect)
5.1 Enable Cisco AnyConnect & tunnel-goups
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 2
anyconnect profiles Contractors disk0:/contractors.xml <--- AnyConnect cilent profiles we will later adjust
anyconnect profiles Employees disk0:/employees.xml
5.2 Create Group Policy called Employees:
group-policy Employees internal
group-policy Employees attributes
dns-server value 10.0.2.3 <-- replace with your DNS server (domain controller)
vpn-simultaneous-logins 5 <-- allow only 5 simultaneous logins
vpn-filter value EMPLOYEES_ACCESS_VPN <-- set ACL with accept or deny rules for Employees
group-lock value Employees <-- here we specify group lock so users from other group contractors won't be able to login into Employees
default-domain value example.net
anyconnect profiles value Employees type user
5.3 Create tunnel group called Employees:
tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
address-pool IP_VPN_POOL_172.16.101.0 <-- setup dhcp pool for remote anyconnect cilents
authentication-server-group IDR_RADIUS <-- set RSA IDR RADIUS for authentication
authorization-server-group VPN_LDAP <-- set LDAP(AD) for authorization
authorization-required <-- set this so authorization is requred
tunnel-group Employees webvpn-attributes
group-alias Employees enable
5.4 Repeat the same for other user group Contractors:
group-policy Contractors internal
group-policy Contractors attributes
dns-server value 10.0.2.3
vpn-filter value CONTRACTORS_ACCESS_VPN
group-lock value Contractors
default-domain value example.net
anyconnect profiles value Contractors type user
tunnel-group Contractors type remote-access
tunnel-group Contractors general-attributes
tunnel-group Contractors webvpn-attributes
group-alias Contractors enable
6. Configure AnyConnect timeouts for both group profiles. (This step requires Cisco ASDM)
Login to ASDM and go to: Remote Access VPN --> Network (Cilent) Access --> AnyConnect Cilent Profile
Click on "AnyConnect Client Profile" and then click "Edit".
Click on "Preferences (Part 1)" section and make sure "RSA SecurID Integration" is set to "Automatic".
Click on "Preferences (Part 2)" and adjust "Authentication Timeout (seconds)" to "120".
Click on "Server List" then click "Add..." and add your outside VPN server name and FQDN/IP e.g. vpn.example.net .
!!! Repeat this process for second AnyConnect Cilent Profile: Employees !!!
After you finished go to Remote Access VPN --> Network (Cilent) Access --> AnyConnect Cilent Profile click on Export and save both profiles with names Contractors.xml and Employees.xml and distribute them on computers which Cisco AnyConnect will be used to connect to Cisco ASA VPN. (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile).
The step above is required because by default Cisco AnyConnect has timeout set too low and authentication will timeout before it can be completed. These xml profiles are always updated on clients during successful login but for the first time connecting you have to update them manually by the steps described in above paragraph.
Another option is to use Cisco AnyConnect Profile Editor Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - The AnyConnect Profile Editor [Cisco AnyConn…
I hope someone will find this HOWTO useful.