Firewall/RADIUS/LDAP

Hello

Someone help me please with ip authentication proxy.

In the firewall, there are two ACL. One is for authentication and one for access. When you try to access a system behind the firewall, you must enter username and password for authentication if you are allowed in the acl of the authentication. The firewall has then interrogate RADIUS servers. The RADIUS server then query LDAP servers to verify the user name and password. My question is what information is returned to the RADIUS server if the user name and password are valid and invalid? What information is sent to the firewall?

Thank you.

Hello

Yes you are right.

Kind regards

Vivek

Tags: Cisco Security

Similar Questions

  • access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

    We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page.  I wonder if possible separate employees and contractors to access internal pages.  The internal web page has no authentication of users.  They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic.  Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

    Hello

    Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

    You can follow this link to set up an acl of web:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

    Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Thank you, please note!

  • Activate different passwords

    We run ASA, IOS 8.0 (5) and ASDM version 6.2 (3). I just change the enable password.  When I connect using SSH use CLI, enable password is the new password.  However, when I connect by using ASDM, the enable password was the old password.  Is there a way to make two identical passwords?

    Thank you.

    Diane

    When you connect through ASDM you may use your username and password in the local data base or an aaa (Radius, ldap) server. By accessing via CLI, you need to first give the same all the credentials, and then you will be asked to activate password. Depending on your configuration of aaa, which could again be the present password on the ASA or the aaa server.

    You fail ASDM sign in using the username password that you use to connect to the CLI?

  • Static IP for AnyConnect user LDAP/RADIUS

    Hello.

    We have the situation, we have built a RAS AnyConnect solution for many users on LDAP or RADIUS - we can choose what we like.

    We now have the problem that some users (round about 1,000) the same must address static ip on a swimming pool all the time, so they can get through the firewall behind the RAS connection.

    I do not have fould a possibility to add a static IP address via DAP values or attributes RADIUS and LDAP.

    A solution, anyone knows how we can assign a static ip address to our RAS users? No experience?

    Hi Marco,.

    on the Radius Server, configure the box-IP-address (attribute IETF 8) for each user, with the ip address as the value.

    HTH

    Herbert

  • What IP SLA probe for LDAP and Radius

    Hello

    I would use IP SLA probes to monitor client access to broadband.

    We want to deploy some routers of shadow on some Exchange sites to measure the customer experience.

    We are looking to create a DNS probe. We would like to test authentication.

    I think running the port of probe UDP 1812 for RADIUS.

    I don't know if that's enough.

    What is LDAP?

    Anyone would have done a similar implementation?

    Thank you

    Rgds

    Abdel

    There is no specific operations to test the Radius and LDAP. There is nothing you can do as the udpEcho operation will not work with the port of RADIUS for the RADIUS. You must configure the collector to send requests to the UDP echo (port 7) port or equipment of machine IP SLA (see http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_udp_echo_ps6441_TSD_Products_Configuration_Guide_Chapter.html ).

    However, for LDAP, you can configure a collector of generic TCP connection which will at least give you data connection latency. The collector must connect to tcp/389 (assuming the plaintext LDAP) or tcp/636 for ldaps.

  • Why my firewall only use the domain user name and password for login and enable passwords, not a different password enable as do it my switches? RADIUS config looks the same...

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style-parent:" ";" mso-padding-alt: 0 to 5.4pt 0 to 5.4pt; mso-para-margin: 0; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; do-size: 10.0pt; do-family: "Times New Roman", "serif" ;} "}

    Question:

    Firewalls Cisco requires that one level of password, i.e. the domain user name and password are used for logging as that to reach the global configuration mode.

    Background:

    We have several network devices Cisco, put in place who authenticate to our Windows using NPS (Windows 2008 R2) DC. Switches we have implemented the function exactly as we would wish that they need your domain user name and password to connect to the device. Then they require a separate password when you use the enable command, it is stored in Active Directory:

    Switches:

    User name:domain-username

    Password:password-field

    SWITCH >Activate

    Password:Enable-password - to-Active Directory

    SWITCH #.

    Firewalls (as they are now):

    User name:domain-username

    Password:password-field

    Firewall >enable

    Password:password-field

    FIREWALL #.

    With the firewall, however, they require your domain user name and password first and then your domain password again when you use the enable command. I want to reuse the firewall to use the level that currently switches enable password rather than the password of domain. The appearance of the current configuration as follows:

    Current configuration of the switch:

    AAA new-model

    AAA authentication login default local radius group

    AAA authentication enable default group enable RADIUS

    AAA authorization exec default local radius group

    AAA - the id of the joint session

    ACCT-port of 1645 auth-port host 192.168.0.1 Server RADIUS 1646

    Server RADIUS ports source-1645-1646

    RADIUS server key 7 1234abcd

    Current configuration of the firewall:

    RADIUS protocol AAA-server DC01

    AAA-server DC01 (outside) host 192.168.0.1

    authentication AAA ssh console LOCAL DC01

    Console to enable AAA authentication LOCAL DC01

    1234abcd keys

    Any help would be great, thanks!

    You must use GANYMEDE + instead of RADIUS for this.

    Here, you can use command sets in the results section of the policy.

  • # WLC RADIUS TO LDAP MONITORING SERVER SERVER. #

    Dear all,

    Our wireless configuration is as below

    Authentication: Radius

    Customers will be sending the authentication for ACS 5.3 request server and ACS 5.3 will forward the authentication to the LDAP server

    Here we have the challenge of monitoring the connectivity between WLC 5.3 ACS and ACS 5.3 to LDAP (authentication should be monitored)

    ICMP monitoring is already done. But it will not provide the logic of authentication with LDAP.

    Ask you to solve this problem as soon as POSSIBLE

    Thank you best regards &,.

    Sakthivel M

    Hi Santana,

    For the connectivity WLC and RADIUS and ensure that he retreat to the next available server. You can configure.

    Active mode

    In Active mode, when a server does not meet the WLC authentication request, the WLC mark the server as death, and then moves the server to the inactive pool and starts to send probe messages regularly until the server responds. If the server responds, then the WLC moves the server died in the active pool and constantly send probe messages. In this mode, when an authentication request comes, the WLC always draws the index server (highest priority) lowest pool active RADIUS servers.

    The WLC sends a probe packet after the timeout period (default 300 seconds) to determine the status of the server where the server does not respond earlier.

    Feature of backup RADIUS server on the sample Configuration of controllers (WLC) wireless LAN

    http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a008098987e.shtml#active

    5.3 GBA, while the implementation of LDAP servers, you have an option for the secondary server. There is no detection mechanism but if it gets no response from the LDAP server first within a specified period. It will begin to communicate with the secondary server. There is therefore no typical mechanism for probing the LDAP within the ACS server.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • For users remote if RADIUS or ldap services available VPN servers are not there?

    Dear people,

    I have ASA Adaptive Security Appliance 5510 with below features.

    Now, what is the best way to setup VPN for remote users to securely, if I have no services LDAP or Radius server.

    HOFW # sh flash:

    path-# - length - time -.

    181 14137344 March 3, 2003 08:36 asa804 - k8.bin

    195 436 sep 2012 01 16:28:05 bar.emf

    75 4096 November 10, 2011 18:41:26 login

    192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127

    79 4096 19 January 2009 16:12:34 crypto_archive

    182 7562988 19 January 2009 16:14:06 asdm - 613.bin

    184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip

    185 4096 19 January 2009 16:15:46 sdesktop

    194 1462 19 January 2009 16:15:46 sdesktop/data.xml

    186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg

    187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p

    kg

    188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg

    189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg HOFW # sh flash:
    path-# - length - time -.
    181 14137344 March 3, 2003 08:36 asa804 - k8.bin
    195 436 sep 2012 01 16:28:05 bar.emf
    75 4096 November 10, 2011 18:41:26 login
    192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127
    79 4096 19 January 2009 16:12:34 crypto_archive
    182 7562988 19 January 2009 16:14:06 asdm - 613.bin
    184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip
    185 4096 19 January 2009 16:15:46 sdesktop
    194 1462 19 January 2009 16:15:46 sdesktop/data.xml
    186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg
    187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p
    kg
    188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg
    189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg

    Concerning
    Vesta
    "Everybody is genius." But if you judge a fish by its ability to climb on a tree, he will live his entire life, believing that this is stupid. "

    With the ASA you will be somewhat limited in what you can do for remote-access-VPN.

    There are two ways to set that up:

    (1) using the SSL - VPN with the AnyConnect Client

    To do this, you must license Premium AnyConnect quite expensive for the amount of competitor users you plan to accept or AnyConnect Essentials cheap license which will give you 250 AnyConnect users which is the platform limit.

    But for the essential AnyConnect license, you need upgrade your ASA RAM because you need an ASA - latest operating system for it.

    But going this path will be the best option.

    (2) with the IPSec Client inherited (EasyVPN). The customer is EOL/EOS announced and not all development will get more. But for now, it could be a way to go until you upgrade your ASA.

    Here is an example of how to configure your ASA for the old CLient IPSec:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • ASA firewall identity

    Hello

    I have setup a firewall of identity on an ASA version 5.6 on a DMZ interface.

    I installed the ADAgent on a Win2008 domain member and configured as follows:

    RADIUS protocol AAA-server ADAGENT_SERVER

    mode-agent-ad

    key 172.17.v.x AAA-server host ADAGENT_SERVER (VPN) *.

    I have configured the LDAP connection to the following domain controller:

    AAA-server DOMAIN_SERVER protocol ldap

    AAA-server DOMAIN_SERVER (VPN) host 172.17.v.z

    LDAP-base-dn DC = YYY, DC = local

    LDAP-scope subtree

    LDAP-login-password *.

    LDAP-connection-dn Lucas

    microsoft server type

    The configuration of the identity is:

    field of the identity of the user YYY aaa-Server DOMAIN_SERVER

    identity of the user by default-domain YYY

    netbios-response-fail action, remove-user-ip user identity

    user logout-probe netbios local system identity

    identity of the user-agent ad server aaa-ADAGENT_SERVER

    allow the user not found-identity of the user

    122 extended access-list allow the user ip YYY\ashdew a whole

    where ashdew is a domain user and ACL 122 (as one line) is applied on the interface of the dmz and NAT is configured correctly.

    The ADagent has been properly tested and ASA may join it.

    The ASA can connect to the DC AD controller and database user query.

    I placed a portable ip 172.17.h.x on the DMZ and can test the DMZ interface.

    The portable computer cannot authenticate to the domain and the asa does not seem to recover the identity of the user

    Do I need to add additional rules in the access list 122 to allow DC traffic?

    Can I record on the Agent AD if it can recover the user ip mapping?

    Thank you

    Ashley

    Hi Ashley,

    It must ensure that the domain controller is configured correctly, please follow the instructions here:

    http://www.Cisco.com/en/us/docs/security/IBF/setup_guide/ibf10_install.html#wp1058066 (Configuration AD Agent to get information from AD domain controllers)

    I suggest first check connection events are generated in the security of the domain controller event log. In 2008 of Windows, you will see event ID 4768. If they are not, you will need to modify the audit policy, as described in the link above.

  • Auth of remote VPN through LDAP allow all users!

    Hello

    I have 5505 firewall and security license. I have configure remote VPN on firewall through CLI with the commands below. Remote VPN works well, but the problem is, it allows all remote VPN users. I need to restrict remote VPN access bit user, I need to configure via CLI, I don't want to go through ASDM, can someone help me with CLI?

    ASDM I can able to perfom below things I'm not able to perform through CLI

    Configuration-> access to the network (Client)-> dynamic access policies

    Through ASDM I'm able to set the VPN users are allow to remote VPN access, how to set up same thing through CLI

    Here's my CLI:

    LDAP attribute-map CISCOMAP

    name of the KFG IETF Radius-class card

    map-value VPN CN = VPN, DC = domain, DC = com noaccess_pri

    map-value VPN CN = VPN, DC = domain, DC = com noaccess_bk

    map-value VPN CN = VPN, DC = domain, DC = com splitgroup_pri

    map-value VPN CN = VPN, DC = domain, DC = com splitgroup_bk

    AAA-server ldapgroup protocol ldap

    ldapgroup AAA-server (inside) host 10.1.10.5

    LDAP-base-dn dc = domain, dc = com

    LDAP-scope subtree

    LDAP-naming-attribute sAMAccountName

    LDAP-login-password Inf0rmati0n1

    LDAP-connection-dn cn = VPN, dc = domain, dc = com

    microsoft server type

    LDAP-attribute-map CISCOMAP

    internal noaccess_pri group policy

    attributes of the strategy of group noaccess_pri

    VPN - concurrent connections 0

    output

    internal noaccess_bk group policy

    attributes of the strategy of group noaccess_bk

    VPN - concurrent connections 0

    output

    internal splitpolicy_pri group policy

    Protocol-tunnel-VPN IPSEC l2tp ipsec

    tunnel-group splitgroup_pri General-attributes

    ldapgroup group-LOCAL authentication server

    internal splitpolicy_bk group policy

    Protocol-tunnel-VPN IPSEC l2tp ipsec

    tunnel-group splitgroup_bk General-attributes

    ldapgroup group-LOCAL authentication server

    Thank you

    Abhishek

    Hello

    You cannot configure the DAP via CLI Protocol because the configuration is saved in a file dap.xml and is stored in flash of the SAA.

    You can configure the DAP protocol using the following link:

    http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T4

    Also note that the link mentions the following:

    Note:

    The dap.xml file that contains the attributes of selection policies DAP, is stored in flash of the SAA. Although you can export the file dap.xml out, the edit box (if you know about the xml syntax), and re - import again, be very careful, because you might ASDM stop treatment of DAP files if you have misconfigured something. There is no CLI to handle this part of the configuration.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.

  • LDAP on DoD Server?

    Get this, I have just completed a new facility for the Mavericks on a Mac Pro - 4.1.

    No more than hours, watching traffic connects my network firewall and what do I see?

    The new facility tries several connections to LDAP (tcp/389) on a few servers DoD.

    More precisely:

    I did a WHOIS on 156.112.110.122 and 156.112.102.122

    They both decide to: crl.gds.disa.mil

    ... Now, "DISA" is synonymous with Defense Information Systems Agency. DISA is a cousin of the NSA - the National Security Agency

    I then crossed to https://crl.gds.disa.mil and was awarded:

    As you can see, this server is FOUO (to use only official). Why the hell my machine of Mavericks new facility tries to talk to this guy? Anyone?

    ~ Never paranoid

    Apparently, it's operating mode standard for the automated verification of CRL. whether a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from this address.

    In my keychain, there is an EMAIL CA-25 of DOD certificate and within the limits it is:

    That would explain the new facility contacting a DoD via LDAP server.

  • HP Device Manager: LDAP connection fails

    Hello community

    I would like to integrate authentication Active Directory in HP (Version 4.5 Rev B) Device Manager.

    When I try to connect, HPDM returns a generic error message.

    I sniffed with Wireshark and found the following:

    searchResDone (2) operationsError (000004DC: LdapErr: IDDM-0C0906E8, comment: in order to perform this operation a successful connection must be completed on the data connection, 0, v1db1) [0 results]

    When I tried to authenticate with this account on the LDP tool, it worked fine.

    My test parameters for the time are like this:

    Host: myLDAPserver.mydomain.net (also tried 'name')

    Port: 389

    No encryption

    General LDAP (also tried "Active Directory)

    Base DN: dc = mydomain, dc = net

    RDN attribute: distinguishedName (also tried sAMAcccountName, CN, UID)

    User name: CN = svc - LDAP - HPDM, CN = AnotherOU, CN = AnotherOU, CN = MyOU, DC = MyDomain, DC = net

    PW: password

    Can someone explain this behavior? I tried all the combinations that I guess. Firewall no problem - there is nothing between my HPDM and the LDAP server.

    Hopefully, you have all the information you need. Otherwise, I'd be happy to provide you with everything you want to know ;-)

    Best regards from Switzerland,

    Simon

    I had to change "cn =" at "or =", as below:

    User name: CN = LDAP-svc-HPDM, OR = AnotherOU, OR = AnotherOU, OR = MyOU, DC = MyDomain, DC = net

  • Management user for WLC via LDAP Possible?

    Hi guys, just like the title suggests

    Correct me if wrong Im:

    The two GANYMEDE + and RADIUS can be used to access right management WLC?
    Well how about you for LDAP? (In fact my answer to this is 'not possible', but I just want you to)

    so is LDAP for managing the access to WLC supported?

    If you look at the options when adding a RADIUS or radius server on a WLC is a checkbox for managing it to the admins to log on to each server radius or Ganymede, it has no option to do this with LDAP. When an administrator connects to a WLC using radius or Ganymede wil server sends a specific response saying that the admin can do (read only, read/write), LDAP does not as far as I know do that.

    Hope this helps

  • The 'IETF-RADIUS-Idle-Timeout' value substitute "Vpn-session-timeout' of group policy?

    Hello community,

    I wish to have a dynamic substitution of "Vpn-session-timeout' of Group Policy (using"ldap attribute-map").

    Read the section "Support for RADIUS authorization attributes" of the SAA, it is not clear, but apparently attribute 'IETF-RADIUS-Session-Timeout' being Cisco attribute name of the ASA to "vpn-session-timeout '.

    Can anyone confirm?

    R, Alex

    Yes!

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_ser...

  • LDAP AAA for VPN configuration

    Preface: I'm all new to Cisco Configuration and learn as I go.

    I'm at the stage of configuration LDAP to configure a VPN on ASA 5520, software release 8.3 (1).  Previously the programme installation and RADIUS authentication successfully tested, I tried to use similar logic to implement the LDAP authentication/authorization.  I have acquired a service account that queries the pub for the identification of the registered user information.  My main resource was the following Manual: Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.3.  I did initially configurations by using ASDM, but could not get tests to succeed.  So I amazed the ASDM configs and went to the CLI.  Here is the configuration.

    AAA-server AAA_LDAP protocol ldap
    AAA-server host 10,20,30,40 (inside) AAA_LDAP
    Server-port 636
    LDAP-base-dn domain.ad
    LDAP-scope subtree
    LDAP-naming-attribute uid
    LDAP-login-password 8 *.
    LDAP-connection-dn cn = commonname, OU = ou01, or = ou02, dc = domain, dc = ad
    enable LDAP over ssl
    microsoft server type
    LDAP-attribute-map LDAP_ATTRIB

    ---

    type tunnel-group ASA_DEFAULT remote access
    attributes global-tunnel-group ASA_DEFAULT
    authorization-server-group AAA_LDAP

    ---

    LDAP attribute-map LDAP_ATTRIB
    name of the MemberOf IETF Radius-class card
    map-value MemberOf "VPN users' asa_default

    ---

    I tested all the naming-attribute ldap alternatives listed with the same results.

    When I test the authentication using this configuration, I get the following error: ERROR: authentication server does not: AAA Server has been deleted

    When I test authorization using this Setup, I get the same error (except for the word permission instead of authentication).

    I am at a total loss.  Any help would be appreciated.

    I would use ldp.exe to see if you can make sure that the sytnax of your ldap-connection-dn is just as you have in your config, it really helps just copy and paste.

    The problem I see is the following:

    [210] link as st_domadm
    [210] authentication Simple running to st_domadm to 10.20.30.30
    [210] simple authentication for st_domadm returned credenti invalid code (49) als
    [210] impossible to link the administrator returned code-(1) can't contact LDAP er

    I suppose your ldap-connection-dn is st_domadm and you try to test with the administrator account?

    Thank you

    Tarik

Maybe you are looking for