Configuring LDAP for Cisco ASA AnyConnect Secure Mobility VPN


This article describes how to configure LDAP for Cisco ASA AnyConnect Secure Mobility VPN
  1. In your OneLogin environment, navigate to Administration > Authentication > VLDAP. Click New Configuration, then configure a new VLDAP config.

    Sample config:

    Enable VLDAP Service: Checked/Enabled
    Multi-factor authentication: unchecked/disabled
    Password expiration: optional (see OneLogin Virtual LDAP Service for additional information)
    Allow access by IP address: Public-facing IP address of your Cisco ASA
    screenshot of sample configuration utilizing email as the DN
    Username or sAMAccountName are also supported via alternate configurations on both the OneLogin VLDAP and the Cisco ASA. You must first request OneLogin support to configure your VLDAP configuration to use sAMAccountName or username as your cn value instead of email.
  3. Navigate to Users > Users and create a OneLogin user to act as your VLDAP service account. Apply a privilege of Manage users, Manage group, or Super user to your VLDAP service account.

    Sample user with privileges assigned:

    screenshot of sample user with a privilege assigned
  5. Note: This step applies to Cisco ASA software version 9.13(1) or later, due to Cisco ‘certificate validation’ requirements introduced at that time of that release.
    Download the DigiCert SHA2 Secure Server CA certificate to your local workstation. Login to your Cisco ASA device via ASDM with your administrative account, and navigate to Configuration > Certificate Management > CA Certificates. Click Add, enter a Trustpoint Name (e.g. DigiCert_SHA2_Secure_Server_CA), and click Install Certificate
    screenshot of Cisco ASDM screenshot of trustpoint warning screenshot of certificate installation success confirmation
  7. Navigate to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups and click Add in the upper-right. Enter an AAA Server Group name of your choosing, confirm the Protocol is set as LDAP, and then click OK.
    screenshot of Cisco ASDM Add AAA Server Group popup
  9. Select your newly created AAA Server Group in the upper menu and then click the lower-right Add (next to the lower menu). Configure the AAA Server by using your region-specific settings as outlined in OneLogin Virtual LDAP Service.

    (If you don't know whether your OneLogin account is in the US or EU region, please contact OneLogin support.)

    Interface Name: outside
    Server Name or IP Address: ldap.us.onelogin.com
    Timeout: 30 Seconds
    Enable LDAP over SSL: Checked/Enabled
    Server Port: 636
    Server Type: -- Detect Automatically/Use Generic Type --
    Base DN: ou=users,dc=bigham,dc=onelogin,dc=com
    Scope: All levels beneath the Base DN
    Naming Attribute: cn
    Login DN: CN=ldapservice@bighaminc.gq,ou=users,dc=bigham,dc=onelogin,dc=com
    Login Password: password for your Login DN account
    screenshot of sample configuration utilizing the US region and email as the OneLogin VLDAP DN value
    When possible, use the VLDAP server domain name rather than the IP address, as IP addresses may change.
  11. Click Apply to save your new configuration.
    screenshot of Cisco ASDM DESCRIPTION
  13. Test your new AAA Server Group by selecting AAA Server Group on the top menu, highlighting the AAA Server in the bottom menu, and then clicking Test.
    screenshot of Cisco ASDM DESCRIPTION
    If your test fails with the following error message, first validate that all of the settings outlined in Step 5 are correct. Then confirm that your VLDAP service account is not locked out within OneLogin and has a valid password without an MFA requirement.
    screenshot of 'ERROR: Authentication Server not responding' popup
  15. To set up a new AnyConnect VPN configuration for testing purposes, navigate to Wizards > VPN Wizards > AnyConnect VPN Wizard and click Next at the initial screen.
    screenshot of AnyConnect VPN Connection Setup Wizard Introduction screen
  17. Enter a Connection Profile Name of your choice and click the Next button.screenshot of AnyConnect VPN Connection Setup Wizard Connection Profile Identification screen
  19. Confirm SSL is checked and IPsec is unchecked. Choose your relevant Certificate Authority Device Certificate, and then click Next.
    screenshot of AnyConnect VPN Connection Setup Wizard VPN Protocols screen
  21. Choose your relevant Client Image(s) and click Next.
    screenshot of AnyConnect VPN Connection Setup Wizard Client Images screen
  23. Choose the AAA Server Group that you previously created and click the Next button.screenshot of AnyConnect VPN Connection Setup Wizard Authentication Method screen
  25. Click Next to skip the SAML Configuration option.
  27. Select your relevant Address Pool and then click the Next button.
    screenshot of AnyConnect VPN Connection Setup Wizard Client Address screen
  29. Confirm your DNS settings and then click Next.
  31. Select/Deselect the NAT Exempt option to align with your VPN needs and click Next.
  33. On the following screen, click Next.
  35. Review/Validate your settings and then click Finish.screenshot of AnyConnect VPN Connection Setup Wizard Summary screen
  37. Navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles, select your newly created Connection Profile, and click Edit to review your Connection Profile. Sample AnyConnect Profile
  39. Test via your Cisco AnyConnect Secure Mobility client:
    Cisco Anyconnect connection process Cisco Anyconnect connection process Cisco Anyconnect connection process Cisco Anyconnect connection process

    Troubleshooting

    Issue: Employees receive a ‘Login Failed’ error message via Anyconenct despite entering their correct password.

    Solution: The employee is trying to login with username or sAMAccountName but your OneLogin VLDAP configuration is set up to require the default DN of email. Instruct the employee to use their email address or reconfigure your Cisco ASA and OneLogin VLDAP to use either username or sAMAccountName as the DN.