I may be missing the boat here as this seems a little easy. I bet it’s just out of date. Googling for something like ‘active directory cisco pix’ brings up a number of blogs and forums (1, 2, 3) on enabling active directory authentication for aaa server groups on a pix. All of these examples use IAS to provide radius to the cisco. However, the following works for me:
aaa-server ADGroup protocol nt
aaa-server ADGroup (core) host 192.168.0.10
nt-auth-domain-controller ad-dc1
aaa-server ADGroup (core) host 192.168.0.11
nt-auth-domain-controller ad-dc2aaa authentication ssh console ADGroup LOCAL
Replace ad-dcX with the netbios name of the server and 192.168.0.x with the actual IP address of the server. The last line configures ssh use to this group and then fall back on the local user database if it can’t access active directory. I just did this for testing, keep in mind that this effectively allows anyone in AD to login to the pix, so you’ll want to look at ‘aaa command authorization’ if you kept this.
Configuring a vpn to use this configuration would be:
tunnel-group TunnelGroupName general-attributes
authentication-server-group ADGroup
I may still use LDAP instead, as I like the granularity of being able to specify a baseDN and creating an LDAP bind account that has limited read access. At the moment I haven’t gotten to playing with Authorization (keeping in mind AAA = Authentication, Authorization and Accounting, and that they have different roles) yet because I usually dial around ASDM with the ‘preview commands before sending them to the device’ preference set and 5.2(2) has a bug (CSCsg92142) that leaves the Authorization tab of VPN Tunnel Groups blank.
it’s worth noting that ‘nt’ amounts to ‘ntlm v1‘ in eary versions, which is horribly lame as a protocol (low entropy). my notes.