AD:Administrator/Password IP:172.16.1.250
    domain: home.local

    1. aaa-server ldap protocol ldap
    2. aaa-server ldap (inside) host 172.16.1.250
    3. ldap-base-dn dc=home,dc=local
    4. ldap-scope subtree
    5. ldap-login-password Password
    6. ldap-login-dn cn=Administrator,cn=users,dc=home,dc=local
    8. 验证:
    9. ciscoasa(config)# test aaa-server authentication ldap username joker password $
    10. Server IP Address or name: 172.16.1.250
    11. INFO: Attempting Authentication test to IP address (172.16.1.250) (timeout: 12 seconds)
    12. INFO: Authentication Successful
    14. Anyconnect 配置:
    15. ciscoasa(config)# show run ip local pool
    16. ip local pool ip 10.0.0.1-10.0.0.10
    18. ciscoasa(config)# show run webvpn
    19. webvpn
    20.  enable inside
    21.  anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
    22.  anyconnect enable
    23.  tunnel-group-list enable
    24.  cache
    25.   disable
    26.  error-recovery disable
    28. ciscoasa(config)# show run group-policy
    29. group-policy ad internal
    30. group-policy ad attributes
    31.  vpn-tunnel-protocol ssl-client ssl-clientless
    32.  address-pools value ip
    34. ciscoasa(config)# show run tunnel-group
    35. tunnel-group ad type remote-access
    36. tunnel-group ad general-attributes
    37.  authentication-server-group ldap
    38.  default-group-policy ad
    39. tunnel-group ad webvpn-attributes
    40.  group-alias ad enable

    ASA self signed cert.

    1. Notes:
    3. -The URL for  your webvpn should be used as the fqdn and subject-name in the  trustpoint config. If they do not match, you will see errors about a  mismatch when you access your webvpn URL and the certificate is  presented.
    5. -This is a self-signed cert. That means the end users  browser does not have any knowledge of the ASA as a CA authority. This  means you have to install the cert the first time it is presented to say  you trust the ASA as a CA authority. You should only need to install it  once.
    7. 1. Prepare your ASA:
    9. hostname  myasa
    11. domain-name cisco.com
    13. clock set 00:00:00 1 Jan 2010
    15. clock  set timezone EST -5
    17. 2. Get to creating the  certificate:
    19. crypto key generate rsa label sslvpnkeypair  modulus 1024
    21. crypto ca trustpoint self
    23.      enroll self
    25.       fqdn myasa.cisco.com
    27.      subject-name CN=myasa.cisco.com
    29.       keypair sslvpnkeypair
    31. crypto ca enroll self noconfirm
    33. 3.  Apply the new certificate:
    35. ssl trust-point self outside
    37. 4.  Save the config:
    39. write mem