Configure AnyConnect with LDAP Authentication on CSM

Available Languages

Download Options

  • PDF     (640.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (759.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (534.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 27, 2023
Document ID:220645

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure AnyConnect with LDAP Authentication on CSM.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • CSM 4.23
    • AnyConnect configuration
    • SSL protocol

    Components Used

    The information in this document is based on these software and hardware versions:

    • CSM 4.23
    • ASA 5515
    • AnyConnect 4.10.6090

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Network Diagram

    Configurations

    Step 1. Configure the SSLVPN Access

    Go to Policies > SSL VPN > Access:

    CSM SSL Configuration

    After configuring the Access Interface make sure you click Save:

    Save Button

    Step 2. Configure the Authentication Server

    Go to Policy Object Manager > All Object Types > AAA Servers > Add.Add Button

    Configure the IP of the server, the source interface, Login Directory, Login Password, LDAP Hierarchy Location, LDAP Scope and LDAP Distinguished Name:

    AAA Server Configuration

    Now add the AAA Server to AAA Server Groups > Add.Add Button

    AAA Server Group Configuration

    Step 3. Configure the Connection Profile

    Go to Policies > Connection Profiles > AddAdd Button

    Here you have to configure the IPv4 Global Address Pool (AnyConnect pool), Group Policy, AAA and Group Alias/URL:

    Connection Profile Configuration

    In order to select the AAA server, click on the AAA tab and select the server created on Step 2:

    Connection Profile AAA Configuration

    To configure a group alias/group url, dns or wins server in the connection profile, go to the SSL tab:

    Connection Profile SSL Configuration

    Step 4. Deploy

    Click the deploy icon .Deploy Button

    Verify

    This section provides information you can use in order to verify your configuration.

    Accessing through CSM:

    Open the Health and Performance Monitor > Tools > Device Selector > Select the ASA > Next > Select Remote Access Users

    HPM Monitor

    note-icon

    Note: The VPN user shows up based on the HPM refresh timer.

    Through CLI:

    ASA#show vpn-sessiondb anyconnect

    Session Type: AnyConnect

    Username : cisco                        Index : 23719
    Assigned IP : 192.168.20.1              Public IP : 209.165.201.25
    Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
    Bytes Tx : 15856                        Bytes Rx : 3545
    Group Policy : Basic_Policy             Tunnel Group : CSM_LDAP_SVC
    Login Time : 10:29:42 UTC Tue Jul 25 2023
    Duration : 0h:010m:16s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A                      VLAN : none
    Audt Sess ID : 0e26864905ca700064bf3396
    Security Grp : none

    Troubleshoot

    In order to check possible failures during the LDAP authentication or the anyconnect establishment you can execute the next commands on the CLI:

    debug ldap 255
    debug webvpn anyconnect 255

    Revision History

    Revision Publish Date Comments
    3.0
    27-Jul-2023
    Initial Release
    1.0
    26-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • JP Miranda
      Cisco Escalation Leader AAA FW VPN

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco