Brief
主要使用 ASDM 配置,在已有 Anyconnect Connection Profile 的基础上做以下改动
Configuration
└── Remote Access VPN
├── Network(Client) Access
│ └── Anyconnect Connection Profiles
└── AAA/Local Users
└── AAA Server Groups
Active Directory Domain Service Controller
在 corp.example.com 的 Users 中添加 asa5505@corp.example.com 的账号
建议 Password nerver expires
AAA Server Gourps
在 AAA Server Groups 处 Add
- AAA Server Group: adds0.corp.example.com
- Protocol: LDAP
- Reactivation Mode: Depletion
- Dead Time: 10 minutes
- Max Failed Attempts: 3
选中刚创建的 Group,在 Servers in the Selected Group 中 Add
- Interface Name: inside
- Server Name or IP Address: adds0.corp.example.com
- Timeout: 10 seconds
- LDAP Parameters for authentication/authorization
- Server Port: 389 (disable LDAP over SSL in LAN)
- Server Type: Microsoft
- Base DN: cn=users, dc=corp, dc=example, dc=com
- Scope: One level beneath the Base DN
- Naming Attribute: sAMAccountName (choose userPrincipalName when there are multiple domains)
- Login DN: cn=asa5505, cn=users, dc=corp, dc=example, dc=com
- Login Password: password of asa5505@corp.example.com
- LDAP Attribute Map: None
- LDAP Parameters for Group Search
- Group Base DN: cn=users, dc=corp, dc=example, dc=com
- Group Search Timeout: 10
NOTE: 默认 Active Directory 配置下,要在 DN 中添加 cn=users 以找到正确的路径
Debug
用 console/ssh 连接 ASA5505, 进入配置模式开始调试:
debug ldap 255
点击 ASDM 上的 Apply 后 Test
Distinguished Names(DN)
RFC2253 (UTF-8 String Representation of Distinguished Names)
String X.500 AttributeType
------------------------------
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
Anyconnect Connection Profiles
Connection Profiles 处选择 Edit 所需的 Profile
- Basic
- Authentication
- Method: AAA/Both
- AAA Server Gourp: adds0.corp.example.com
- Default Group Policy
- Domain Name: corp.example.com
- Authentication