ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem
Hello
I configured the LDAP on ASA authentication for VPN users. In MS AD, I have a group called 'VPN_Users' but this is CN.
LDAP-base-dn CN = VPN_Users, OR = users, DC = company, DC = local
The path identified in AD shows:
DN: CN = VPN_Users, OR = users, DC = company, DC = local
I want to allow only the users who are in the group mentioned. But it does not work. It seems that '' CN = VPN_Users '' is not one recognized as a group but it is.
Any idea? or experience? Its IOS bug or what.
Thank you.
HI Matus,
This is what you need.
Configuration to limit access to a particular group of windows on AD
LDAP LDAP of attribute-map-MAP
name of the memberOf IETF-Radius-class card
map-value memberOf CN = VPN_Users, OR = users, DC = company, DC = local
! ! --- Name of group policy should be the group policy that you have configured on ASA- ! AAA-Server LDAP-AD ldap Protocol AAA-Server LDAP-AD Server-port 389 LDAP-base-dn DC = company, DC = local LDAP-scope subtree LDAP-naming-attribute sAMAccountName LDAP-connection-dn LDAP-login-password microsoft server type LDAP-attribute-map LDAP-map ! ! Group Policy internal attributes of group policy VPN - connections 3 Protocol-tunnel-VPN IPSec l2tp ipsec... value of address pools ! ! internal group noaccess strategy attributes of the strategy group noaccess VPN - connections 1 address pools no ! ! type of tunnel-group-remote access global-tunnel-group attributes Group-AD-LDAP authentication server NoAccess by default-group-policy Just in case, it does not work for you. Get the following information: Turn on the 'debugging ldap 255' group on the SAA and to connect with a user account that belongs to the Users of VPN 1.] show run ldap 2.] show aaa Server 3.] see the tunnel-group race 4.] show run Group Policy OR You can provide SH RUN of the SAA. Jatin kone
-Does the rate of useful messages
Tags: Cisco Security
Similar Questions
-
ASA 5520 - VPN using LDAP access control
I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.
My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.
The Version of the software on the SAA is 8.3 (1).
My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.
https://supportforums.Cisco.com/message/3232649#3232649
Thanking all in advance for everything offered thoughts and advice.
Configuration (AAA LDAP, group policy and group of tunnel) is below.
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAPAAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policyHello
The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)
The following link will explain how to set up the same.
http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Access to the LDAP VPN ASA group
Hello, I have configured the access remote vpn on asa with ldap authentication. But I can't limit access vpn with specific ldap group.
Here is my config:
AAA-server AZPBTDC01 (DC_Internal) host 192.168.10.250
LDAP-base-dn dc = company, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = Netuser, OU = Services users, or is ASM HQ, dc is company, dc = com
microsoft server type
LDAP-attribute-map AZPBTDC01LDAP attribute-map AZPBTDC01
name of the memberOf Group Policy map
map-value memberOf "CN = VPN_Admin, OU = ASM group, OU = ASM HQ, DC = company, DC = com" RA_ADMIN_GPinternal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1
address pools nointernal RA_ADMIN_GP group policy
RA_ADMIN_GP group policy attributes
value of server DNS 192.168.10.251
VPN - connections 3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list IPSEC_RA_ACL_ADMINattributes global-tunnel-group DefaultRAGroup
NOACCESS by default-group-policytype tunnel-group IPSEC_RA_ADMIN remote access
attributes global-tunnel-group IPSEC_RA_ADMIN
authentication-server-group LOCAL AZPBTDC01
authorization-server-group AZPBTDC01
Group Policy - by default-RA_ADMIN_GPThe problem is all the domen users can connect to the vpn. ASA does not ranking filter in a group, no VPN_Admin group users can connect, but the man should not be able to connect.
If it is possible to make this approach work, I wouldn't do it this way. Use rather DAP (Dynamic Access Policy).
The instructions for this are here:
Search for "Active Directory group" to jump directly to the corresponding section. Note that you may need two policies DAP. One to match users living in VPN_Admin and another default policy to deny access to everyone.
Note for the default "opt-out" policy, that I often make it pop up a message to the end user, saying that they do not have VPN access and contact xxx if they want to fix it.
-
Asa and Cisco ldap authentication
Hi all
I have a problem with LDAP authentication.
I have a cisco Asa5510 and windows Server 2008 R2
I create the LDAP authentication.
AAA-server LDAPGROUP protocol ldap
AAA-server host 10.0.1.30 LDAPGROUP (inside)
Server-port 389
LDAP-base-dn dc = systems, dc = local
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = users, OU = users, DC = network, DC = local
microsoft server typebut when I test, I have an error (user account work directly to the server)
AAA-authentication server LDAPGROUP host 10.0.1.30 userid password test *.
INFO: Attempt to <10.0.1.30>IP address authentication test (timeout: 12 seconds)
ERROR: Authentication rejected: not specifiedHelp, please
concerning
Frédéric
You have the account with username 'user' in ' 'reseaux.local' and "Utilisateurs.reseau.local '?"
If so, can you check if they are two other AD domain? The bug pointed out that ASA do not support authentication via LDAP refererals multi-domain.
You might consider to using an account administrator AD in "reseaus.local" for ASA to connect to AD.
10.0.1.30> -
OmniPass LDAP on Cisco ASA 8.2 (1)
Expensive security experts,
I am facing a problem in trying to set up LDAP integration on Cisco ASA firewall. The requirement is to allow access to remote VPN to the specific group set to AD. When I checked the debugging logs "debug ldap 255", it shows that the authentication is successful with the LDAP server, but the ldap attribute is not get mapped and for this reason, the group policy by default 'NOACCESS' tunnel-group uses (vpn rule set to zero), resulting in zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is to connect
The name of the user account is testvendor who belongs to the Group of Test-seller.
Could you kindly advice me what Miss me in this configuration. Highy appreciated the help on this.
The configuration and debugging output is shown below.
SEE THE RACE
LDAP attribute-map ABC-SELLER
name of the memberOf Group Policy map
map-value memberOf CN = Test-sellers, OU = Users, OR = Abc, DC = abc, DC = local Allow-seller
AAA-server ldapvend protocol ldap
ldapvend AAA-server (inside) host 10.1.141.7
LDAP-base-dn DC = abc, DC = local
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = ldapvpn, OU = ServiceAccounts, OU = Abc, DC = abc, DC = local
microsoft server type
LDAP attribute-map ABC-SELLER
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
internal strategy to allow vendor group
Group Policy attributes Allow-seller
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec
value of server DNS 10.1.141.7
ABC.org value by default-field
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_acl
tunnel-group ABC - AD - type remote access PROVIDER
attributes global-tunnel-group ABC - AD - SELLER
address vendor_pool pool
authentication-server-group ldapvend
NOACCESS by default-group-policy
ABC-AD-PROVIDER of tunnel-group ipsec-attributes
pre-shared-key *.
Note: I tried the below map-value under the attribute ldap PROVIDER ABC as part of the troubleshooting
map-value memberOf CN = Test-sellers, CN = Users, OR = Abc, DC = abc, DC = local Allow-seller
map-value memberOf CN = Test-sellers, OR = Test-sellers, OR = Users, OR = Abc, DC = abc, DC = local Allow-seller
map-value memberOf CN = testvendor, OR = Test-sellers, OR = Users, OR = Abc, DC = abc, DC = local Allow-seller
DEBUGGING LDAP 255
Starting a session [454095]
New [454095] application Session, 0xb1f296b0, reqType = authentication context
Started fiber [454095]
[454095] LDAP context with uri = ldap://10.1.141.7:389
[454095] connect to the LDAP server: ldap://10.1.141.7:389, status = success
supportedLDAPVersion [454095]: value = 3
supportedLDAPVersion [454095]: value = 2
Link [454095] as ldapvpn
[454095] performance Simple authentication for ldapvpn at 10.1.141.7
Search LDAP [454095]:
Base DN = [DC = abc, DC = local]
Filter = [sAMAccountName = testvendor]
Range = [subtree]
DN of the user [454095] = [CN = testvendor, OR = Test-sellers, OU = users, OR = Abc, DC = abc, DC = local]
[454095] talk to Active Directory 10.1.141.7
[454095] strategy of password of reading for testvendor, dn:CN = testvendor, OR = Test-sellers, OU = users, OR = Abc, DC = abc, DC = local
[454095] reading bad password count 0
Link [454095] as testvendor
[454095] Simple authentication for testvendor to 10.1.141.7 performance
[454095] treatment LDAP for user testvendor response
[454095] (testvendor) message:
Strategy of password current [454095]
[454095] authentication successful for testvendor 10.1.141.7
Attributes of user retrieved [454095]:
[454095] objectClass: value = top
[454095] objectClass: value = person
[454095] objectClass: value = organizationalPerson
[454095] objectClass: value = user
[454095] cn: value = testvendor
[454095] givenName: value = testvendor
distinguishedName [454095]: value = CN = testvendor, OR = Test-sellers, OR = users, OR = Abc, DC = abc, DC = local
instanceType [454095]: value = 4
whenCreated [454095]: value = 20111019133739.0Z
whenChanged [454095]: value = 20111030135415.0Z
displayName [454095]: value = testvendor
uSNCreated [454095]: value = 20258545
uSNChanged [454095]: value = 20899179
[454095] name: value = testvendor
Object GUID [454095]: value =) u >. v.H. 6 >... u.Z
[454095] userAccountControl: value = 66048
badPwdCount [454095]: value = 0
codepage [454095]: value = 0
[454095] countryCode: value = 0
badPasswordTime [454095]: value = 129644550477428806
lastLogoff [454095]: value = 0
lastLogon [454095]: value = 129644551251183846
pwdLastSet [454095]: value = 129635050595360564
primaryGroupID [454095]: value = 513
userParameters [454095]: value = m: d.
' objectSid [454095]: value =... n ' J.h.0...
accountExpires [454095]: value = 9223372036854775807
logonCount [454095]: value = 0
sAMAccountName [454095]: value = testvendor
sAMAccountType [454095]: value = 805306368
userPrincipalName [454095]: value = [email protected] / * /
objectCategory [454095]: value = CN = person, CN = Schema, CN = Configuration, DC = abc, DC = local
msNPAllowDialin [454095]: value = TRUE
dSCorePropagationData [454095]: value = 20111026081253.0Z
dSCorePropagationData [454095]: value = 20111026080938.0Z
dSCorePropagationData [454095]: value = 16010101000417.0Z
lastLogonTimestamp [454095]: value = 129638228546025674
[454095] output fiber Tx = 719 bytes Rx = 2851 bytes, status = 1
End of session [454095]
I'm not an expert AD unfortunately, but I found that might help:
http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/
-
LDAP on SAA with the attribute-card problem openldap
Hello, everyone:
I have a camera of the asa. the software version is 9.1. I have an openldap server, I want asa to use the ldap database to the anyconnect vpn authentication user. I've already finished. I have a problem now, I want to different groups assign different '-user group policy. " I use internal group policy on asa. I want to know how to get this attribute through LDAP group policy.
Note: I differentiate 'OR' user on openldap. for example, or = manager, ou = sales, OU = engineer.
Thank you, everyone.
Hello.
Here's what... .you're looking for ;)
Use of AAS of the LDAP Configuration attribute example cards
Kind regards.
#Rohan
-
LDAP AAA for VPN configuration
Preface: I'm all new to Cisco Configuration and learn as I go.
I'm at the stage of configuration LDAP to configure a VPN on ASA 5520, software release 8.3 (1). Previously the programme installation and RADIUS authentication successfully tested, I tried to use similar logic to implement the LDAP authentication/authorization. I have acquired a service account that queries the pub for the identification of the registered user information. My main resource was the following Manual: Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.3. I did initially configurations by using ASDM, but could not get tests to succeed. So I amazed the ASDM configs and went to the CLI. Here is the configuration.
AAA-server AAA_LDAP protocol ldap
AAA-server host 10,20,30,40 (inside) AAA_LDAP
Server-port 636
LDAP-base-dn domain.ad
LDAP-scope subtree
LDAP-naming-attribute uid
LDAP-login-password 8 *.
LDAP-connection-dn cn = commonname, OU = ou01, or = ou02, dc = domain, dc = ad
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_ATTRIB---
type tunnel-group ASA_DEFAULT remote access
attributes global-tunnel-group ASA_DEFAULT
authorization-server-group AAA_LDAP---
LDAP attribute-map LDAP_ATTRIB
name of the MemberOf IETF Radius-class card
map-value MemberOf "VPN users' asa_default---
I tested all the naming-attribute ldap alternatives listed with the same results.
When I test the authentication using this configuration, I get the following error: ERROR: authentication server does not: AAA Server has been deleted
When I test authorization using this Setup, I get the same error (except for the word permission instead of authentication).
I am at a total loss. Any help would be appreciated.
I would use ldp.exe to see if you can make sure that the sytnax of your ldap-connection-dn is just as you have in your config, it really helps just copy and paste.
The problem I see is the following:
[210] link as st_domadm
[210] authentication Simple running to st_domadm to 10.20.30.30
[210] simple authentication for st_domadm returned credenti invalid code (49) als
[210] impossible to link the administrator returned code-(1) can't contact LDAP erI suppose your ldap-connection-dn is st_domadm and you try to test with the administrator account?
Thank you
Tarik
-
Hello!
Now someone if Cisco ASA 5500 supports authentication ldap in worm Netware 6.x via vpn Cisco client servers. / Best regards
Jonny,
LDAP server is supported in ASA 7.1 and higher.
Please see the below URL for more information:
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_1/conf_gd/AAA.htm#wp1072211
I hope it helps.
Kind regards
Arul
* Please note all useful messages *.
-
Trying of authenticating to a LDAP group users - all users authenticated
ASA successfully authenticates all users if they are in the OKCVPNAccess user group, and the ASA correctly sees the LDAP map attribute. There is that a single policy.
[54] memberOf: value = CN = VPNAccess-OKC, OR = Groups, OU = OU = xxx, xxx, DC = xxx, DC = local
[54] mapped to IETF-RADIUS-class: value = LDAPPolicyI been through a lot of documentation on the web sites of Cisco but also looked at several forums, but I'm coming up with a blank as to what I can try next. I know that it will work with RADIUS and RADIUS I've used several times in the past, so this isn't an option. I was asked to do with LDAP. Any suggestions? I've included the part of the Setup, and I tried to sanitize it somewhat, so there may be an inconsistency of name here or there.
Thank you
LDAP attribute-map LDAPMAP
name of the memberOf IETF-Radius-class card
memberOf card-value CN = VPNAccess-OKC, OR = Groups, OU = xxx, OU = xxx, DC = xxx, DC is local LDAPPolicy
dynamic-access-policy-registration DfltAccessPolicy
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host 10.12.34.248
Server-port 389
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn xxx\vpn.auth
microsoft server type
LDAP-attribute-map LDAPMAPCrypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
crypto CRYPTO card - card 1000 ipsec-isakmp dynamic outside_dyn_map
CRYPTO-card interface card crypto outsidecrypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notifyinternal CRYPTOGP group policy
CRYPTOGP group policy attributes
banner value of using this system is... Please log out immediately!
value of 10.12.34.248 DNS server 10.129.8.136
Protocol-tunnel-VPN IPSec
enable PFS
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUNNEL
xxx.local value by default-fieldtype tunnel-group CRYPTO-OKC-VPN remote access
General-attributes of CRYPTO-OKC-VPN Tunnel-group
LDAP authentication group-server
IPPOOL address pool
Group Policy - by default-CRYPTOGP
LDAP authentication group-server
tunnel-group CRYPTOOKC-VPN ipsec-attributes
pre-shared-key *.In my view, using the map LDAP is just for an LDAP attribute to an appropriate group policy, you can control access user group policy.
Here is an example.
After the user is connected, vpn can you use "show vpn-sessiondb" to check what group policy is used?
Moreover, I did not see 'LDAPPolicy' has been defined in your configuration.
-
ASA5510 authentication LDAP on W2K3 AD domains
LDAP authentication works in all of the domains Active Directory W2K3 and several ASA5510 firewall? Or do I need to configure other authentication type? If I use another type of authentication should I specific portals with special bookmarks based on logins?
The ASA can, via the LDAP protocol, multi-field search using Active Directory Global Catalog Server(AD-GCS) in a single AD forest.
For more information about server Catlog Global features and configuration, please consult the Microsoft documentation.
AD - GCS uses a special port 3268 for unsafe operations and port 3269 for sure (LDAP-S).
The ASA CLI configuration:
With CLI configure a server for AD - BSC AAA on the platform of the ASA/PIX.
ASA # display running aaa-Server GC
AAA-server protocol ldap GC
AAA-server host 10.10.1.1 GC
Server-port 3268
LDAP-base-dn DC = MyDomain, DC = com
LDAP-scope subtree
LDAP-naming-attribute userPrincipalName
LDAP-login-password *.
LDAP-connection-dn CN = ldap-reader, OU = employees, DC = MyDomain, DC = com
microsoft server type
Note 1: The customer must have an attribute that is unique and simple in the ad so that it can be used for LDAP searches. UserPrincipalName or sAMAccountName are usually unique attributes that can be used.
In this example, based on the name = userPrincipalName attribute, then the VPN user to connect with [email protected] / * / .
Note2: mode in the Global catalog, not all LDAP attributes are returned (for example: memberOf) to allow the ASA to make policy decisions say through access policies Dynamics https://supportforums.cisco.com/docs/DOC-1369 .
-
Hello
as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.
Customers using Maschine certificate to authenticate to ASA. It works very well.
Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:
AAA-Server LDAP protocol ldap AAA-Server LDAP (inside) host ldap.com LDAP-base-dn DC = x DC = x, DC = x DC = com LDAP-scope subtree LDAP-login-password *. LDAP-connection-dn *. microsoft server type I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.
No idea where the problem lies?
Thanks in advance
Hi Klaus,
DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.
So you will need to enable the LDAP authorization in the tunnel - or connect to groups.
Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.
HTH
Herbert
-
authentication of remote access, vpn and ldap
I have a test environment with 2 hours fireval 5505: the first firewall is remote access VPN server and the Interior of this firewall is a network of domain with a domain controller, DNS server and a workstation. DHCP is disabled and the PC have a static address.outside of the VPN server is attached outside the other ASA 5505 firewall. on the inside of the firewall, there is a workstation.the workstation would be to connect via vpn for remote access on the domain network. I have configured the VPN server for remote access through a wizard and his
configuration is the following
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.13.74.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.30.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name dri.local
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record vpnldap
network-acl inside_nat0_outbound
aaa-server vpn protocol ldap
aaa-server vpn (inside) host 10.13.74.20
ldap-base-dn DC=DRI,DC=LOCAL
ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=test,cn=users,dc=dri,dc=local
server-type microsoft
http server enable
http 10.13.74.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.13.74.9-10.13.74.40 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 10.13.74.20 10.8.2.5
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value dri.local
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d
: end
When I tried to workstation on the internal part of the second firewall (no remote access vpn server) to connect to the vpn, everything is ok. I used the cisco vpn client, but I can't ping domain controller, workstation, I can't use the shared folder on them. Why?
Please help me
Thank you
Thanks for letting me know! Can you please give the station "answered"? Thank you!
-
El Capitan LDAP authentication
I am trying to setup on El Capitan Macbook LDAP authentication. I've prepared OpenLDAP server on the Linux host with the necessary users. This LDAP was added in the directory as LDAPv3 with set of mappings of RFC2307 utility.
Computer can connect to LDAP, because green circle seen in there:
Users and groups > connection options > network server account > hostname of the LDAP server
The problem is that the user is unable to connect by using LDAP. No matter what I go to the login prompt (including complete DN), I can see say journal entry:
SecurityAgent: Unknown user 'adrian' connection attempt SPENT for the audit.
How can I review more about connection?
So that the own Apple Open Directory is based on OpenLDAP, it is not the same. Not only do you have conveniently add additional entries to OpenLDAP i.e. Apple own LDAP schema, but you also need to configure Kerberos on the Linux server as well as Open Directory uses a combination of LDAP and Kerberos for authentication.
In my view, it is possible to do all the extra steps to get a Linux server to fully act as the equivalent of an Open Directory server, but that you're barely at half way.
See - http://deepport.net/archives/setting-up-a-linux-server-for-os-x-clients/
and - http://www.torriefamily.org/~torriem/wiki/computer_stuff:opendir_and_ldap
These articles do not cover Kerberos, but perhaps of additional useful information for the previous link.
See - http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-ser ver-on-linux /
-
CIsco Anyconnect VPN with LDAP AAA
Hi there, I was hoping that someone can point me in the right direction here. I created a VPN connection profile to match anyconnect SSL entering customers. I would like to use LDAP group membership as a sine qua non for authentication. I found a few online pages on what to do about it, I followed. Unfortunately, it seems my connection profile to allow access to any user in the ldap, not only those of the ldap group database. I'll post the relevant bits of the config here in hopes that someone can point my mistake!
The idea of the config is to have the map of connections 2 by default a noaccess policy which has 0 simultaneous connections and the profile card (SSL_VPN) connection ssl to anyconnect to group_policy_SSL_VPN group policy.
local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51 - 10.0.5.254 255.255.255.0 IP mask
NAT (inside_int, any) static source NetworkGroup_Internal_networks NetworkGroup_Internal_networks Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 non-proxy-arp-search of route static destination
LDAP attribute-map AuthUsers
name of the memberOf Group Policy map
map-value memberOf memberOf CN = NETWORK_CONTOSO_ASA_VPN_DLSG, OR = network, OU = resources, OU = CONTOSO, OU = security, OU = Groups, DC = CONTOSO, DC = groupynamic-access-policy-registration DfltAccessPolicy
AAA-server CONTOSOVIC_LDAP protocol ldap
AAA-server CONTOSOVIC_LDAP (inside_int) 10.0.0.45
LDAP-base-dn DC = CONTOSO, DC = group
LDAP-group-base-dn DC = CONTOSO, DC = group
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = ASA_LDAP_USER, OU = network, OU = accounts, DC = CONTOSO, DC = group
microsoft server typeNo vpn-addr-assign aaa
No dhcp vpn-addr-assignSSL-trust ASDM_TrustPoint4 outside_int point
WebVPN
Select outside_int
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal NoAccess group strategy
Group Policy attributes NoAccess
WINS server no
VPN - concurrent connections 0
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value by default-field CONTOSO.group
disable the split-tunnel-all dns
attributes of Group Policy DfltGrpPolicy
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
internal GroupPolicy_SSL_VPN group strategy
attributes of Group Policy GroupPolicy_SSL_VPN
WINS server no
value of server DNS 10.0.0.45
VPN - connections 1
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value of group-lock SSL_VPN
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_SPLIT_TUNNEL
value by default-field CONTOSO.group
activate dns split-tunnel-all
the address value CONTOSOVICVPN_DHCP_POOL poolsattributes global-tunnel-group DefaultRAGroup
authorization-server-group CONTOSOVIC_LDAP
NoAccess by default-group-policy
authorization required
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
attributes global-tunnel-group DefaultWEBVPNGroup
NoAccess by default-group-policy
type tunnel-group SSL_VPN remote access
attributes global-tunnel-group SSL_VPN
address CONTOSOVICVPN_DHCP_POOL pool
authentication-server-group CONTOSOVIC_LDAP
authorization-server-group CONTOSOVIC_LDAP
Group Policy - by default-GroupPolicy_SSL_VPN
authorization required
tunnel-group SSL_VPN webvpn-attributes
message of rejection-RADIUS-
Proxy-auth sdi
enable CONTOSOvicvpn.CONTOSOgroup.com.au group-aliasYou must specify the NoAccess group policy as group policy by default for the Group of the SSL_VPN tunnel.
Remember to rate helpful answers. :)
-
Hello
I am able to get the LDAP authentication works for the VPN, but when I go to test a user that is not defined in the VPN group in the ad, they are still able to authenticate and access to the VPN. I'm at a loss for what is the real problem, because everything seems to be set correctly.
I joined newspapers in debugging ldap for a user that works properly and that a user that does not work properly. I think that they should be able to authenticate to a group JOB_ADMINS_VPN and if they are not in this group then they should be denied rights of VPN connection.
LDAP attribute-map JOB_ADMIN_MAP
name of the memberOf Group Policy map
map-value memberOf CN = JOB_ADMINS_VPN, OU = VPN, DC = test, dc = net JOB_ADMINS
AAA-server JOB_ADMINS protocol ldap
AAA-server JOB_ADMINS (Prod) 10.5.1.11
LDAP-base-dn DC = test, DC = net
OR LDAP-group-base dn = VPN, DC = test, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = saVPNLDAP, CN = Users, DC = test, DC = net
microsoft server type
LDAP-attribute-map JOB_ADMIN_MAP
I don't know miss me something small, but I don't know what I'm missing. Any contributions to this number will be grately apperciated.
Thank you!
Please review the below listed config and see what hand you lack of other "sh run" of the SAA.
Configuration to limit access to a particular group of windows on AD
internal group noaccess strategy
attributes of the strategy group noaccess
VPN - connections 1
address pools no
LDAP LDAP of attribute-map-MAP
name of the memberOf IETF-Radius-class card
map-value memberOf
AAA-Server LDAP-AD ldap Protocol
AAA-Server LDAP-AD
Server-port 389
LDAP-base-dn
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-connection-dn
LDAP-login-password
microsoft server type
LDAP-attribute-map LDAP-map
Group Policy internal
attributes of group policy
VPN - connections 3
Protocol-tunnel-VPN IPSec l2tp ipsec...
value of address pools
.....
.....
type of tunnel-group-remote access
global-tunnel-group attributes
Group-AD-LDAP authentication server
NoAccess by default-group-policy
!
!
attributes of the strategy group noaccess
VPN - concurrent connections 0
Jatin kone
-Does the rate of useful messages-
Maybe you are looking for
-
Satellite A200-1N2 - SD card on Windows 8
Hello. I installed win 8 on my laptop Satellite A200-1N2 and SD card does not work. I tried to install SD (vista driver) and still does not work. Can someone help me? Thank you
-
Satellite A30 monitor shows no sign of life
Hellomy monitor shows no sign of life even if the rest of the computer (HD lights etc) lights up. Help.
-
Hi all I see the tethering feature on my droid now, how can I get the software for my laptop tethering?
-
We have a 1102w currently used via USB. It works perfectly with the macbook from my wife and my computer laptop windows 7. I have a macbook pro with the OSC v 10.9.5 and went through the routine to add printer, but when I print I can see that the do
-
800b0100 error code when you try to install KB2449742
Tried to install the KB2449742 update every day since that he has published since April 19, but get error 800b0100 code every time Singel - tried with and without virus running program - nothing works HELP!