DAP using LDAP and attributes of Cisco
I would like to be able to implement a strategy of dynamic access to the criteria that all the following conditions:
Cisco.GroupPolicy = Sales
ldap.memberOf = Remote_Access
can have a specific set of access. My connection profile uses a Radius Server to authenticate and assign group policy.
Is it possible to do this? Since then, it doesn't seem to work for me.
Hi Luis,.
If you want to use LDAP attributes in your strategy of DAP, you will need to use LDAP for authentication or authorization in your tunnel-group.
Thus you will be either have to replace ray with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Double authentication using LDAP and RSA
I would use LDAP and RSA (double authentication) for my SSL VPN clients. Can I authenticated users if my logon page requires users to enter a second username. If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers. I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.
If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.
Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?
Thanks in advance.
Matt
Hi Matt,
I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:
CSCte66568 Double authentication broken in 8.2.2 during use-primary-username is CONF.
If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.
HTH
Herbert
-
Security using ldap and the RPD users
Hello
I need 5 dummy users in RPD. I don't want to give them adminstrator privileges because they are not allowed to see everything in my dashboard. My authentication works by using an LDAP server, is it possible that I can leave these fake users login as well as those on the LDAP server?I don't think it's possible to use the default Server BI and LDAP authentication. You can still have multiple LDAP servers for authentication. You can ask 5 service accounts to be created in the LDAP for OBIEE Protocol and assign privileges accordingly so they see only needed dashboards.
Please allow the useful points,
Thank you
-Laurence. -
BI Server uses LDAP and BI Publisher uses BI server auth - can this work?
Hello
I've set up OBI EE BI Server to use our MS Active Directory LDAP repository for authentication purpose. It works perfectly.
On the other hand BI Publisher is configured to use the BI server authentication. I can see that groups XMLP * here, but obviously there are has no users defined in the BI server to add their!
The reason why I want to use this configuration is that it's another Department who is responsible for the maintenance of the AD and it would make things easier if we could maintain access BI Publisher ourselves, through the BI tool admin server.
Something tells me that's not possible, but I was wondering if there is any workaround or tip for this problem?
Thank you
LuisWith ADSI, you cannot import users and groups. You then create an initialization of variable session with an external table:
See an example here:
http://obieeblog.WordPress.com/2009/06/18/OBIEE-security-enforcement-%E2%80%93-external-database-table-authorization/See you soon
Nico -
Hello
as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.
Customers using Maschine certificate to authenticate to ASA. It works very well.
Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:
AAA-Server LDAP protocol ldap AAA-Server LDAP (inside) host ldap.com LDAP-base-dn DC = x DC = x, DC = x DC = com LDAP-scope subtree LDAP-login-password *. LDAP-connection-dn *. microsoft server type I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.
No idea where the problem lies?
Thanks in advance
Hi Klaus,
DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.
So you will need to enable the LDAP authorization in the tunnel - or connect to groups.
Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.
HTH
Herbert
-
ACS 5.2 - authentication user 802. 1 x and MSCHAPv2 using LDAP Source identity
Hello community,
I use the ACS 5.2 as the solution of authentication in my network. I configured two situations: access with network access policies and peripheral Administration.
Currently, I have a few configured devices: 1 ASA (using RADIUS), WLC-5508 (using RADIUS) 1, 1 2960 S (with GANYMEDE +). And I set up an external identity store, using LDAP (I can see and select all groups without problem).
Everything works fine. My next step was to configure users to use 802. 1 x to authenticate using ACS with my LDAP database.
Assuming that all configurations are correct on all computers (when I use an internal database works very well), these are the following newspapers/configurations in the ACS:
At this point, we can see the error:
22043 current identity store does not support the authentication method; He jumps.Header 1 Request for access received RADIUS 1100111017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access Service - access Police selected 1501211507 extract EAP-response/identity12500 prepared EAP-request with EAP - TLS with challenge11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12301 extract EAP-response/NAK asking instead to use PEAP12300 prepared EAP-request with PEAP with challenge11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12302 extracted EAP-response containing PEAP challenge-response and accepting as negotiated PEAP12318 has successfully PEAP version 012800 first extract TLS record; TLS handshake has begun.12805 extracted TLS ClientHello message.12806 prepared TLS ServerHello message.12807 prepared the TLS certificate message.12810 prepared TLS ServerDone message.prepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response12318 has successfully PEAP version 012812 extracted TLS ClientKeyExchange message.12804 message retrieved over TLS.12801 prepared TLS ChangeCipherSpec message.12802 prepared TLS completed message.12816 TLS handshake succeeded.
12310 full handshake PEAP completed successfullyprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response12313 PEAP inner method started
11521 prepared EAP-request/identity for inner EAP methodprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response11522 extract EAP-Response/Identity for EAP method internal11806 prepared EAP-internal method call offering EAP-MSCHAP VERSION challengeprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiatedEvaluate the politics of identity
15006 set default mapping rule
15013 selected identity store-
22043 current identity store does not support the authentication method; He jumps.22056 object was not found in the identity of the point of sale.22058 advanced option that is configured for a unknown user is used.22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.11815 inner EAP-MSCHAP VERSION authentication failed11520 prepared EAP-failure of the inner EAP method22028 authentication failed and advanced options are ignored.prepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / responseAuthentication PEAP 12307 failure
11504 prepared EAP-failure
11003 returned RADIUS Access-Reject
So, what can be the cause? Compatibility with LDAP?
Plinio,
Watch this doc,
There is a table which indicates that LDAP is not a database compatible with our EAP type (MSCHAP VERSION-2).
LDAP, you can use with TLS, PEAP-GTC, and EAP-FAST-GTC.
TLS uses certificates on both sides, suplicant, and server authentication server.
* GCT if I'm not mistaken is a WBS system to use with the EAP protocol.
Authentication Protocol EAP compatibility of database user and table B-5
Identity storeEAP - MD5PEAP-EAP-MSCHAPv2EAP-FAST MSCHAPv2PEAP-GTCEAP-FAST-GTCACS
Yes
Yes2
Yes
Yes
Yes
Yes
Windows AD
NO.
Yes
Yes
Yes
Yes
Yes
LDAP
NO.
Yes
NO.
NO.
Yes
Yes
RSA identity store
NO.
NO.
NO.
NO.
Yes
Yes
Identity of DEPARTMENT store
NO.
NO.
NO.
NO.
Yes
Yes
-
ACS 5.3 use LDAP. for one SSID and use IS HOST. for a different SSID
I have 2 SSID on WLCs
I wish I had 1 point SSID to the radius of the acs using LDAP store and the 2nd point SSID to the radius of the acs using identity store of the host for mac filtering.
both scenarios are working, but not all.
If I set the order of the rule I can get an SSID, but then the other fails.
Authentication failed :
22056 object was not found in the identity of the point of sale.
Access matched Service selection rule:
Rule-1
Comparative political identity rule:
Rule-1
Some identity stores:
RBLDAP
Evaluate the politics of identity
15004 Matched rule
15013 selected identity store-
24031 sending request to the primary LDAP server
24017 Looking up host in LDAP - 04-xx-xx-xx-xx-xx Server
24009 host not found in the LDAP server
22056 object was not found in the identity of the point of sale.
22058 advanced option that is configured for a unknown user is used.
22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.
11003 returned RADIUS Access-Reject
If I move the mac add rule before the rule of ldap, but then the ldap authentication fails
Request for access received RADIUS 11001
11017 RADIUS creates a new session
11027 detected host Lookup UseCase (Service-Type = check call (10))
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - MAC filter network access service
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - internal hosts
24209 Looking internal host IDStore host - 04-xx-xx-xx-xx-xx
24211 found internal host IDStore host
Authentication 22037 spent
I tried to install the following without result.
It seems to me that there should be a simple process to do what happens. I thought that if the rule does not match it would be to move on to the next rule etc...
I might be able to live with the first ldap control and if it does not pass to the db of the local host, but seemingly ineffective.
https://supportforums.Cisco.com/thread/2133704
You can create a sequence of identity store so that if the end point is not present in the ldap database, then it can check its database of the local host.
Or you can create a condition in your selection of service such as if rule called-station-id ends with (AIDS) then you can have it match the rule that uses the appropriate rule pointing to ldap, another rule when called-station-id ends with (ssidB) match the rule that points to the rule that uses the database of the local host.
Here is the section on the configuration of the sequence of identity store, don't forget to select continue if user not found.
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...
Thank you
Sent by Cisco Support technique iPad App
-
Attribute mapping between ldap and ecm11g internal user profile user
Hi all
I use ucm11g, is there a way to map between ldap and ecm11g internal user profile user attributes? I tested with an attribute named homephone wls embeded LDAP, create the attribute homephone in ecm11g the user after login profile, I can't find the value in the ecm11g user profile.
Best regardsIn earlier versions, there was LDAPProvider which was replaced by JpsUserProvider to 11g. This component allows you to do a bit in the interface, but there are a few more options which do not seem to be documented. For example, if you have a HomePhone field and enter 123456789 inside and then empty, by default, the JpsUserProvider component will not empty field the Complutense University of MADRID. You can change this by entering ClearMissingAttributes = true in the provider.hda file. Or if you want to use the credentials, you will need to change provider.hda with ProviderCredentialsMap = name_of_map (my source for the latter was the ECM blog at http://blogs.oracle.com/ecmarch/2011/03/).
For more information on JpsUserProvider, look in the Administrator's Guide:
When to add JPS provider: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c02_settings007.htm#CSMSP496
Adding a JPS Provider: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c02_settings007.htm#BEIIAHHI
I hope this helps!
Frank.
-
is it possible to use two external LDAP and authentication of external Table?
Hi, is it possible to use both external LDAP and authentication of the external table?
they all need two initialization blocks to access a session system variable, USER?
Thank youHello
I don't think it's possible to impliment the LDAP authentication both extenal together. The reasons are,
1. we cannot define two sources (LDAP and Extenal DB) in the same blocks of justine initialization user information.
2. If two different (one for LDAP) initialization blocks and one for extenal DB are used, we cannot use variable USER twice it's a defined system variable.Thank you
Swami -
ASA 5520 - VPN using LDAP access control
I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.
My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.
The Version of the software on the SAA is 8.3 (1).
My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.
https://supportforums.Cisco.com/message/3232649#3232649
Thanking all in advance for everything offered thoughts and advice.
Configuration (AAA LDAP, group policy and group of tunnel) is below.
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAPAAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policyHello
The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)
The following link will explain how to set up the same.
http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
ISE 1.3-> ASA ssh and attribute anyconnect
Hello
I created a condition made up to match the anyconnect client and allow, if necessary, but the problem is that if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and go to the default group of tunnel.
AnyConnect condition: type of device, NAS-PORT-Type = virtual and Cisco - VPN3000:CVPN3000/ASA/PIX7x - Client - Type = client Anyconnect
SSH status: device type, NAS-PORT-Type = virtual
Basically, if the user does not match the anyconnect condition it can still vpn through SSH condition.
Thank you
Khaled
There are several ways you can do. Probably the cleanest is to use different strategy games. One for VPN access and one for the administration of the unit.
But to keep things simple, you can use the same attribute 'Cisco VPN3000'... "in your SSH condition, but instead of '=' you can use 'Different' in this way if the SSH session sees the AnyConnect client, then the condition will not be matched.
Thank you for evaluating useful messages!
-
sharing files and attributes Office offices remotely
I use my xp remote desktop to connect to three win 2003 Server DW1 and DW2 DW3. Because they all have enough similar content that it can become a bit confusing, so I thought I would use a different color for each office. But then I found that when I open them again, they all had the same color of desktop as a last that I've changed. Then I noticed that the names of computers changed in Solution Explorer, for example DW1 was now called DW2 etc. (but the remote window showed always DW1). So I thought I would put a text file on the desktop of each titled "It's DW1.txt", "it's DW2.txt" etc. But then text files started appearing on the machines incorrectly, for example DW1 was now a text file "TIS DW1" as a text file "is DW2" and DW2 had only a file called 'it's DW1 I tried to connect the machines using IP addresses instead of names, but they always do the same thing. It's as if all three machines somehow share files desktop and attributes. Any idea what goes wrong?
Bob
Hello Bob K Niagara Falls,.
Please ask your question in the Remote Desktop Services forum in TechNet as they manage all the server related issues.
See you soon
-
I was looking for a way to use LDAP, basically to get a ServiceConnectionPoint (a single ldap query).
I found two libraries, libldap and OpenLDAP , have someone use one of them before and gathered with success for bb10?
Or could you do a simple query without a library?
I've seen used OpenLDAP before, but I have not actually used myself.
For what it's worth I built the client libraries by running these commands of tar of the Nations United had distribution directory:
make clean QNX_TARGET="/Applications/Momentics2.app/target_10_3_1_1949/qnx6" \ QNX_HOST="/Applications/Momentics2.app/host_10_3_1_24/darwin/x86" \ LDFLAGS="-L${QNX_TARGET}/armle-v7/lib -L/lib -lscreen -lasound -lpps -lm -lpng14 -lbps -lEGL -lGLESv2 -Wl,-z,relro -Wl,-z,now -pie" \ CPPFLAGS="-D__PLAYBOOK__ -D__QNXNTO__" \ CPP="${QNX_HOST}/usr/bin/qcc -V4.6.3,gcc_ntoarmv7le -E" \ LD="${QNX_HOST}/usr/bin/ntoarmv7-ld" \ CXX="${QNX_HOST}/usr/bin/qcc -Vgcc_ntoarmv7le -lang-c++ -fPIC" \ CFLAGS="-g -fPIC -fstack-protector-strong" \ RANLIB="${QNX_HOST}/usr/bin/ntoarmv7-ranlib" \ CC="${QNX_HOST}/usr/bin/qcc -Vgcc_ntoarmv7le -fPIC" \ ./configure \ --host=arm-unknown-nto-qnx8.0.0eabi \ --enable-slapd=no \ --with-threads=no \ --prefix=${HOME}/openldap_install_target \ make depend makeChoose QNX_TARGET and QNX_HOST appropriate to your SDK. I removed slapd (server support) ran into issues with son build so disabled them as well - probably ok for the side customer liebrary.
"If you get a clean build running ' make install ' to put the headers, libs etc in ${HOME} / openldap_install_target rather than have it try to install in/usr/local.
-
Default password for LDAP sync accounts that do not use LDAP authentication
We use CUCM 10.5.1. We have enabled LDAP and installation directories. I can see the previous local users and new users sync ldap. I know that if there was a previous local user with the same user as the new ldap user ID, this account is converted into an ldap account and I guess the password stay the same before ldap integration. But what of the new ldap sync protocol accounts? I see that there is a field of password for them, but what is the default password for these newly created accounts and where I can edit this default password?
I do not have a 10.x here, but on previous versions, "credentials political default" sets the default password.
It was under the management/diploma default user policy. Choose the 'end user' political 'password' and put the default value you want here. It may be in a slightly different place from 10.x
Aaron
-
UCS LDAP and Native authentication
Hello
We put the Native authentication for LDAP and UCS Manager connection to LDAP as well. We are able to connect to GUI & SSH using the LDAP account. But can not connect on the GUI using the local account (admin).
If I change the Native authentication at the local level, we can connect to GUI via local account (admin), but can not connect to SSH via LDAP account.
Missing something?
Please let me know.
/ Rags
Hello
When you have changed the native auth to LDAP and use local account, are you prefixing the local username with the local domain auth?
* From Linux / MAC machine
SSH ucs -
------ @. SSH-l ucs -
. SSH
-l ucs - . * From client PuTTY
Connect as: ucs -
. NOTE the domain name is case-sensitive and must match the name field set up in UCSM.
Try connecting with the name in domainsername and let us know the result.
Padma
Maybe you are looking for
-
How to activate the spell checker on a specific site?
I disable by spelling error on site and now I can't enable it, because he can't find the settings for that hePlease tell me how I can enable it backthe site is a forum
-
Hello AVG has just reported a Trojan horse (PSW. Generic4.Jow) to Toshiba Configfree (c:\windows\cfdemo.scr). I gather from look elsewhere this might be a false positive.Can anyone confirm this or otherwise, please?
-
IdeaPad A1 How can I open the micro-USB port
How do you get into the Micro USB port on the bottom of the A1? You just lift it? There are no instructions with the unit on how to open it.
-
If we have 2012 window microsoft license server can then we able to install Windows server 2008
Hello If we have the license microsoft windows server 2012 and I want to install Windows server 2008. Is this possible? Thank you
-
SSL VPN - Bypass DefaultWEBVPNGroup
Hi all I use the tunnel-group by default and group policy for my general community of users. I want to apply a filter to this group and have a case of special use for another group that bypasses the filter. My goal: for people reaching the "RAS_Engin