Brief

主要使用 ASDM 配置,在已有 Anyconnect Connection Profile 的基础上做以下改动

Configuration
└── Remote Access VPN
    ├── Network(Client) Access
    │   └── Anyconnect Connection Profiles
    └── AAA/Local Users
        └── AAA Server Groups

Active Directory Domain Service Controller

corp.example.comUsers 中添加 asa5505@corp.example.com 的账号

建议 Password nerver expires

AAA Server Gourps

AAA Server GroupsAdd

  • AAA Server Group: adds0.corp.example.com
  • Protocol: LDAP
  • Reactivation Mode: Depletion
  • Dead Time: 10 minutes
  • Max Failed Attempts: 3

选中刚创建的 Group,在 Servers in the Selected GroupAdd

  • Interface Name: inside
  • Server Name or IP Address: adds0.corp.example.com
  • Timeout: 10 seconds
  • LDAP Parameters for authentication/authorization
    • Server Port: 389 (disable LDAP over SSL in LAN)
    • Server Type: Microsoft
    • Base DN: cn=users, dc=corp, dc=example, dc=com
    • Scope: One level beneath the Base DN
    • Naming Attribute: sAMAccountName (choose userPrincipalName when there are multiple domains)
    • Login DN: cn=asa5505, cn=users, dc=corp, dc=example, dc=com
    • Login Password: password of asa5505@corp.example.com
    • LDAP Attribute Map: None
  • LDAP Parameters for Group Search
    • Group Base DN: cn=users, dc=corp, dc=example, dc=com
    • Group Search Timeout: 10

NOTE: 默认 Active Directory 配置下,要在 DN 中添加 cn=users 以找到正确的路径

Debug

用 console/ssh 连接 ASA5505, 进入配置模式开始调试:

debug ldap 255

点击 ASDM 上的 ApplyTest

Distinguished Names(DN)

RFC2253 (UTF-8 String Representation of Distinguished Names)

String  X.500 AttributeType
------------------------------
CN      commonName
L       localityName
ST      stateOrProvinceName
O       organizationName
OU      organizationalUnitName
C       countryName
STREET  streetAddress
DC      domainComponent
UID     userid

Anyconnect Connection Profiles

Connection Profiles 处选择 Edit 所需的 Profile

  • Basic
    • Authentication
      • Method: AAA/Both
      • AAA Server Gourp: adds0.corp.example.com
    • Default Group Policy
      • Domain Name: corp.example.com