Configuring AAA on Cisco ASA for LDAP Users to Use with VPNs

Before reading this you may need to know how to configure LDAP for Windows server. If so click here and comeback.. This configuration is about using LDAP accounts for VPNs. Not for ASA administration..

Steps:-

1. Define the LDAP server group name and protocol
Server group name (tag) here is TACACS and the protocol is tacacs+

ASA(config)# aaa-server AD protocol ldap

2. Define the reachable interface, server IP address and other parameters.
In my setup AD server is reachable from INSIDE interface & the IP is 11.2.2.20
Domain is roshanznet.local
sAMAccountName is a default for Windows servers I guess..
Password is administrator password of AD..

ASA(config)# aaa-server AD (INSIDE) host 11.2.2.20
ASA(config-aaa-server-host)# ldap-base-dn DC=roshanznet,DC=local
ASA(config-aaa-server-host)# ldap-scope subtree
ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
ASA(config-aaa-server-host)# ldap-login-password roshan123#
ASA(config-aaa-server-host)# ldap-login-dn CN=administrator,CN=Users,DC=roshanznet,DC=local
ASA(config-aaa-server-host)# server-type microsoft

You can test the authentication like following..
ASA# test aaa authentication AD host 11.2.2.20 username roshan password C1sc0#adm

roshan is a username I created on AD and it's password is C1sc0#adm.. Following results will be displayed if everything works fine..