We have a client who has circa 200 users with a significant number of roaming users. The roaming users access to the network is via a remote access VPN. Initially the users credentials were added to the Cisco ASA like so:
username <username> password <password>
By default the ‘LOCAL’ database is used, but we wanted the users to use their AD credentials to simplify administration and prevent confusion. To start with, create a server group:
aaa-server AD-SERVERS protocol kerberos
Then add individual servers
aaa-server AD-SERVERS (inside) host 192.168.1.2 kerberos-realm MYREALM.PRIV
Obviously you need to use your own realm and the correct ip addresses for your AD servers. Before making any further changes, its possible to test the authentication from the command line.
test aaa-server authentication AD-SERVERS host 192.168.1.2 username testuser password testpass INFO: Attempting Authentication test to IP address (timeout: 12 seconds) INFO: Authentication Successful
When you are happy that its working, modify the ‘tunnel-group to specify AD server authentication as follows:
tunnel-group MYTUNNEL general-attributes ... authentication-server-group AD-SERVERS LOCAL ...
Thats it really, enjoy not adding and maintaining usernames and passwords.
As with all things Windows related there was a snag in that authentication was not consistent. Some users were ok and some were not despite apparent similarities. The solution was to switch off Kerberos Pre-authentication in the active directory setup on a per user basis. See image below: