Cisco ASA - SSLVPN
RS_MCP
Member Posts: 352
Hi All,
I have setup an SSL VPN Service on my ASA which authenticates users through LDAP over Active Directory.
We have just added a new domain to our network which sites on a completely different name, is it possible for me to set up the SSLVPN service for multiple domain authentcation methods?
If so, how can I do this using ASDM?
According to Cisco....
The ASA currently does not support the LDAP referal mechanism for multi-domain searches
(Cisco bug ID CSCsj32153). Multi-domain searches are supported with the AD in Global Catalog Server
mode. In order to perform multi-domain searches, setup up the AD server for Global Catalog Server mode,
usually with the these key parameters for the LDAP server entry in the ASA. The key is to use an
ldap-name-attribute that must be unique across the directory tree.
.
I have setup an SSL VPN Service on my ASA which authenticates users through LDAP over Active Directory.
We have just added a new domain to our network which sites on a completely different name, is it possible for me to set up the SSLVPN service for multiple domain authentcation methods?
If so, how can I do this using ASDM?
According to Cisco....
The ASA currently does not support the LDAP referal mechanism for multi-domain searches
(Cisco bug ID CSCsj32153). Multi-domain searches are supported with the AD in Global Catalog Server
mode. In order to perform multi-domain searches, setup up the AD server for Global Catalog Server mode,
usually with the these key parameters for the LDAP server entry in the ASA. The key is to use an
ldap-name-attribute that must be unique across the directory tree.
.
Comments
-
mikearama Member Posts: 749I cannot locate a place in ASDM to add a second ldap hook into another server group. Hell, the "inside" interface (where one ldap server group is already defined) doesn't even show up as available when I try to add a second server group in the "Assign Authentication Server Group to Interface" field in the "Edit SSL VPN Connection Profile" page.
I think your info is accurate... if you have set up a second AD domain, let the GC handle locating credentials. I think you'll have to have set up a trust between the domains, with your GC handling resources in both. Then authentication should find the correct domain.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.