active directory authentication with cisco pix

I may be missing the boat here as this seems a little easy. I bet it’s just out of date. Googling for something like ‘active directory cisco pix’ brings up a number of blogs and forums (1, 2, 3) on enabling active directory authentication for aaa server groups on a pix. All of these examples use IAS to provide radius to the cisco. However, the following works for me:

aaa-server ADGroup protocol nt
aaa-server ADGroup (core) host
nt-auth-domain-controller ad-dc1
aaa-server ADGroup (core) host
nt-auth-domain-controller ad-dc2

aaa authentication ssh console ADGroup LOCAL

Replace ad-dcX with the netbios name of the server and 192.168.0.x with the actual IP address of the server. The last line configures ssh use to this group and then fall back on the local user database if it can’t access active directory. I just did this for testing, keep in mind that this effectively allows anyone in AD to login to the pix, so you’ll want to look at ‘aaa command authorization’ if you kept this.

Configuring a vpn to use this configuration would be:

tunnel-group TunnelGroupName general-attributes

authentication-server-group ADGroup

I may still use LDAP instead, as I like the granularity of being able to specify a baseDN and creating an LDAP bind account that has limited read access. At the moment I haven’t gotten to playing with Authorization (keeping in mind AAA = Authentication, Authorization and Accounting, and that they have different roles) yet because I usually dial around ASDM with the ‘preview commands before sending them to the device’ preference set and 5.2(2) has a bug (CSCsg92142) that leaves the Authorization tab of VPN Tunnel Groups blank.

1 thought on “active directory authentication with cisco pix

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.