Using Active Directory to Authenticate VPN Users on Cisco ASA

We have a client who has circa 200 users with a significant number of roaming users. The roaming users access to the network is via a remote access VPN. Initially the users credentials were added to the Cisco ASA like so:

username <username> password <password>

By default the ‘LOCAL’ database is used, but we wanted the users to use their AD credentials to simplify administration and prevent confusion. To start with, create a server group:

aaa-server AD-SERVERS protocol kerberos

Then add individual servers

aaa-server AD-SERVERS (inside) host
 kerberos-realm MYREALM.PRIV

Obviously you need to use your own realm and the correct ip addresses for your AD servers. Before making any further changes, its possible to test the authentication from the command line.

test aaa-server authentication AD-SERVERS host username testuser password testpass
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
INFO: Authentication Successful

When you are happy that its working, modify the ‘tunnel-group to specify AD server authentication as follows:

tunnel-group MYTUNNEL general-attributes
 authentication-server-group AD-SERVERS LOCAL

Thats it really, enjoy not adding and maintaining usernames and passwords.


As with all things Windows related there was a  snag in that authentication was not consistent. Some users were ok and some were not despite apparent similarities. The solution was to switch off Kerberos Pre-authentication in the active directory setup on a per user basis. See image below:


This entry was posted in Cisco and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *