LDAP on DoD Server?

Get this, I have just completed a new facility for the Mavericks on a Mac Pro - 4.1.

No more than hours, watching traffic connects my network firewall and what do I see?

The new facility tries several connections to LDAP (tcp/389) on a few servers DoD.

More precisely:

I did a WHOIS on 156.112.110.122 and 156.112.102.122

They both decide to: crl.gds.disa.mil

... Now, "DISA" is synonymous with Defense Information Systems Agency. DISA is a cousin of the NSA - the National Security Agency

I then crossed to https://crl.gds.disa.mil and was awarded:

As you can see, this server is FOUO (to use only official). Why the hell my machine of Mavericks new facility tries to talk to this guy? Anyone?

~ Never paranoid

Apparently, it's operating mode standard for the automated verification of CRL. whether a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from this address.

In my keychain, there is an EMAIL CA-25 of DOD certificate and within the limits it is:

That would explain the new facility contacting a DoD via LDAP server.

Tags: Mac OS & System Software

Similar Questions

LDAP on SAA with the attribute-map

Hi all

I have problems to set up authentication of VPN clients on a LDAP server. The main problem is when the ASA needs to decide a strategy group for users of the non-compliance.

I use the LDAP attribute cards in the SAA to map the parameter memberOf attribute group Cisco-policy, can I associate the ad group that the user must belong to a VPN and rigth memberOf Group Policy access. This method works correctly.

But the problem is when the remote user is not in the correct group AD, I put a group by default-policy - do not have access to this type of users. After that, all users (authorized and unauthorized) fall into the same default - group policy do not have VPN access.

There are the ASA configuration:

LDAP LDAP attribute-map
name of the memberOf Group Policy map
map-value memberOf "cn = ASA_VPN, ou = ASA_VPN, OU = my group, dc = xxx, dc is com" RemoteAccess

AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host 10.0.0.3
or base LDAP-dn = "My group", dc = xxx, dc is com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = users, ou = "My group", dc = xxx, dc = com
microsoft server type
LDAP-attribute-map LDAP

internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0

internal RemoteAccess group strategy
Group Policy attributes RemoteAccess
value of server DNS 10.0.0.3
Protocol-tunnel-VPN IPSec
field default value xxx.com

tunnel-group RemoteAccess type remote access
attributes global-tunnel-group RemoteAccess
address-pool
LDAP authentication group-server
NOACCESS by default-group-policy
tunnel-group ipsec-attributes RemoteAccess
pre-shared key *.

As you can see, I followed all of the examples available on the web site to solve the problem, but I can't get a good result.

Does anyone have a solution for this problem?

Kind regards

Guzmán

Guzman,

It should work without a doubt, that is the part to refuse already works well and the user who has the correct memberOf attribute should certainly are mapped to Allow access policy and should therefore be allowed in.

I think that's a bug as well, but I had a quick glance and see nothing correspondent, and if it was a bug in 8.2.3. so I'm not expecting you to be the first customer to discover this, so I'm still more inclined to think that it's something in the config that we neglect (I know frome experience typo can sometimes be very difficult to spot).

Could you get "debug aaa 255 Commons", so please, maybe that will tell us something.

BTW, just to be sure: you don't don't have anything (such as vpn - connections) configured in the DfltGrpPolicy, did you? Just double check since your access policy Allow would inherit that.

Maybe another test, explicitly configure a nonzero value for this parameter in the policy allow access, i.e.

Group Policy allow access attrib

VPN - 10 concurrent connections

Herbert

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Hello

I configured the LDAP on ASA authentication for VPN users. In MS AD, I have a group called 'VPN_Users' but this is CN.

LDAP-base-dn CN = VPN_Users, OR = users, DC = company, DC = local

The path identified in AD shows:

DN: CN = VPN_Users, OR = users, DC = company, DC = local

I want to allow only the users who are in the group mentioned. But it does not work. It seems that '' CN = VPN_Users '' is not one recognized as a group but it is.

Any idea? or experience? Its IOS bug or what.

Thank you.

HI Matus,

This is what you need.

Configuration to limit access to a particular group of windows on AD

LDAP LDAP of attribute-map-MAP

name of the memberOf IETF-Radius-class card

map-value memberOf CN = VPN_Users, OR = users, DC = company, DC = local

!

! --- Name of group policy should be the group policy that you have configured on ASA-

!

AAA-Server LDAP-AD ldap Protocol

AAA-Server LDAP-AD

Server-port 389

LDAP-base-dn DC = company, DC = local

LDAP-scope subtree

LDAP-naming-attribute sAMAccountName

LDAP-connection-dn

LDAP-login-password

microsoft server type

LDAP-attribute-map LDAP-map

!

!

Group Policy internal

attributes of group policy

VPN - connections 3

Protocol-tunnel-VPN IPSec l2tp ipsec...

value of address pools

!

!

internal group noaccess strategy

attributes of the strategy group noaccess

VPN - connections 1

address pools no

!

!

type of tunnel-group-remote access

global-tunnel-group attributes

Group-AD-LDAP authentication server

NoAccess by default-group-policy

Just in case, it does not work for you. Get the following information:

Turn on the 'debugging ldap 255' group on the SAA and to connect with a user account that belongs to the Users of VPN

1.] show run ldap

2.] show aaa Server

3.] see the tunnel-group race

4.] show run Group Policy

OR

You can provide SH RUN of the SAA.

Jatin kone
-Does the rate of useful messages

With LDAP in ASA 5510 VPN

I have problem in LDAP ASA, I want to create LDAP authentication in remote access VPN before I try, I want to try local LDAP and the problem

debugging ldap 255

ldap authentication, aaa-server test

Name or IP address of the server: 10.40.5.2

Username: rian

Password: *.

[2] starting a session

[2] new query Session, context 0x41d1a04

starItedr

[2] create LDAP context with uri = ldap://10.40.5.2:389

NFO: Attempt to <10.40.5.2>IP address authentication test (timeout: 12 seconds)

[2] to connect to the LDAP server: ldap://10.40.5.2:389, status = success

[2] failed to bind as returned administrator code of invalid credentials (49)

[2] output fiber Tx = 37 bytes Rx = 109 bytes, status =-2

[2] end of session

ERROR: Authentication server fails: invalid password

What is the problem?

If I connect to the server with the username and password for ldap, I can connect. more information I have 2 domain first id.seapro.ad.crs.org second ID (ID of the domain user). I have the first field of use Plug and second not too.

Please help me, what is the problem?

Right answers. 'administrator' is not a valid dn connection in an ldap infrastructure. Follow what srue said and that will lead you in the right direction.

(6 points in this conversation).

ASA 5520 - VPN using LDAP access control

I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.

My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.

The Version of the software on the SAA is 8.3 (1).

My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.

https://supportforums.Cisco.com/message/3232649#3232649

Thanking all in advance for everything offered thoughts and advice.

Configuration (AAA LDAP, group policy and group of tunnel) is below.

AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP

AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!

attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policy

Hello

The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)

The following link will explain how to set up the same.

http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

LDAP authentication problems

Hello

I am able to get the LDAP authentication works for the VPN, but when I go to test a user that is not defined in the VPN group in the ad, they are still able to authenticate and access to the VPN. I'm at a loss for what is the real problem, because everything seems to be set correctly.

I joined newspapers in debugging ldap for a user that works properly and that a user that does not work properly. I think that they should be able to authenticate to a group JOB_ADMINS_VPN and if they are not in this group then they should be denied rights of VPN connection.

LDAP attribute-map JOB_ADMIN_MAP

name of the memberOf Group Policy map

map-value memberOf CN = JOB_ADMINS_VPN, OU = VPN, DC = test, dc = net JOB_ADMINS

AAA-server JOB_ADMINS protocol ldap

AAA-server JOB_ADMINS (Prod) 10.5.1.11

LDAP-base-dn DC = test, DC = net

OR LDAP-group-base dn = VPN, DC = test, DC = net

LDAP-scope subtree

LDAP-naming-attribute sAMAccountName

LDAP-login-password *.

LDAP-connection-dn CN = saVPNLDAP, CN = Users, DC = test, DC = net

microsoft server type

LDAP-attribute-map JOB_ADMIN_MAP

I don't know miss me something small, but I don't know what I'm missing. Any contributions to this number will be grately apperciated.

Thank you!

Please review the below listed config and see what hand you lack of other "sh run" of the SAA.

Configuration to limit access to a particular group of windows on AD

internal group noaccess strategy

attributes of the strategy group noaccess

VPN - connections 1

address pools no

LDAP LDAP of attribute-map-MAP

name of the memberOf IETF-Radius-class card

map-value memberOf

AAA-Server LDAP-AD ldap Protocol

AAA-Server LDAP-AD

Server-port 389

LDAP-base-dn

LDAP-scope subtree

LDAP-naming-attribute sAMAccountName

LDAP-connection-dn

LDAP-login-password

microsoft server type

LDAP-attribute-map LDAP-map

Group Policy internal

attributes of group policy

VPN - connections 3

Protocol-tunnel-VPN IPSec l2tp ipsec...

value of address pools

.....

.....

type of tunnel-group-remote access

global-tunnel-group attributes

Group-AD-LDAP authentication server

NoAccess by default-group-policy

!

!

attributes of the strategy group noaccess

VPN - concurrent connections 0

Jatin kone

-Does the rate of useful messages-

application of CRL through ldap on c2611

I work with certificates on a 2611 router. Everything works very well in combination with a CA, except the polling stations for the revocation list.

My CA publishes CRL to something like:

LDAP:///CN=CA-server,CN=ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int? CertificateRevocationList? base? objectClass = CRLDistributionPoint

In het 2611 router config, I have the map "crypto ca trustpoint CA-SERVER", where I put

CRL query ldap://IP ADRES OF CA-SERVER/CN=CA-SERVER,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

But enough wrong, it does not work. The router is not fetch a revocation list. I think that he's not even trying to connect (I do not see the ldap on the firewall traffic).

Does anyone know a solution for this problem? Is it maybe possible to retrieve the CRL on HTTP?

Thank you

Angelo.

Don't know what version of the code that you use, so I'll give you a little history of IOS.

Before IOS 12.1 (5) CEP has been used with Microsoft case to retrieve the CRL. However the SCEP Protocol is not a very effective method for the extraction of CRLs, we added

support to retrieve CRLs via ldap and http. IOS determines the actual certificate how extract CRL using the CDP. In the certificates

you show, the CDP is indicated via LDAP, then the router will try to get by using this method (assuming that the code is later than the 12.1 (5).)

However, the problem you are experiencing is due to the 'strange' the ldap URL format in certificates. Microsoft Enterprise certification authorities press file specifications in the ldap URL using multiple CommonNames (CN = a) and the? XXX construct. IOS dislikes the specifications of file name in the URL at this time.

IOS works very well with a PPC that specify an http URL, or define an LDAP URL but not with all the CN stuff. The 'url of the request' in the config is ignored if the certificate contains a PPC with http:// or ldap: / / URL (without all the CN), however if it contains a LDAP URL in the format that you show, and then the "url of the request" command is used. IOS still does not all the ADS, etc., specifying if a "request url" command with all that won't work, as you've seen.

You can change your MS CA server to put a URL HTTP or LDAP directly in the certificate, or make it available on an HTTP server somewhere your LRC and then add a "the request url" pointing directly at it. Because the router do not understand LDAP CRL in the cert, it will use the location "applications url" you specify and it should work for you.

Trying of authenticating to a LDAP group users - all users authenticated

ASA successfully authenticates all users if they are in the OKCVPNAccess user group, and the ASA correctly sees the LDAP map attribute. There is that a single policy.

[54] memberOf: value = CN = VPNAccess-OKC, OR = Groups, OU = OU = xxx, xxx, DC = xxx, DC = local
[54] mapped to IETF-RADIUS-class: value = LDAPPolicy

I been through a lot of documentation on the web sites of Cisco but also looked at several forums, but I'm coming up with a blank as to what I can try next. I know that it will work with RADIUS and RADIUS I've used several times in the past, so this isn't an option. I was asked to do with LDAP. Any suggestions? I've included the part of the Setup, and I tried to sanitize it somewhat, so there may be an inconsistency of name here or there.

Thank you

LDAP attribute-map LDAPMAP
name of the memberOf IETF-Radius-class card
memberOf card-value CN = VPNAccess-OKC, OR = Groups, OU = xxx, OU = xxx, DC = xxx, DC is local LDAPPolicy
dynamic-access-policy-registration DfltAccessPolicy
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host 10.12.34.248
Server-port 389
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn xxx\vpn.auth
microsoft server type
LDAP-attribute-map LDAPMAP

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
crypto CRYPTO card - card 1000 ipsec-isakmp dynamic outside_dyn_map
CRYPTO-card interface card crypto outside

crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notify

internal CRYPTOGP group policy
CRYPTOGP group policy attributes
banner value of using this system is... Please log out immediately!
value of 10.12.34.248 DNS server 10.129.8.136
Protocol-tunnel-VPN IPSec
enable PFS
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUNNEL
xxx.local value by default-field

type tunnel-group CRYPTO-OKC-VPN remote access
General-attributes of CRYPTO-OKC-VPN Tunnel-group
LDAP authentication group-server
IPPOOL address pool
Group Policy - by default-CRYPTOGP
LDAP authentication group-server
tunnel-group CRYPTOOKC-VPN ipsec-attributes
pre-shared-key *.

In my view, using the map LDAP is just for an LDAP attribute to an appropriate group policy, you can control access user group policy.

Here is an example.

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

After the user is connected, vpn can you use "show vpn-sessiondb" to check what group policy is used?

Moreover, I did not see 'LDAPPolicy' has been defined in your configuration.

For users remote if RADIUS or ldap services available VPN servers are not there?

Dear people,

I have ASA Adaptive Security Appliance 5510 with below features.

Now, what is the best way to setup VPN for remote users to securely, if I have no services LDAP or Radius server.

HOFW # sh flash:

path-# - length - time -.

181 14137344 March 3, 2003 08:36 asa804 - k8.bin

195 436 sep 2012 01 16:28:05 bar.emf

75 4096 November 10, 2011 18:41:26 login

192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127

79 4096 19 January 2009 16:12:34 crypto_archive

182 7562988 19 January 2009 16:14:06 asdm - 613.bin

184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip

185 4096 19 January 2009 16:15:46 sdesktop

194 1462 19 January 2009 16:15:46 sdesktop/data.xml

186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg

187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p

kg

188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg

189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg HOFW # sh flash:
path-# - length - time -.
181 14137344 March 3, 2003 08:36 asa804 - k8.bin
195 436 sep 2012 01 16:28:05 bar.emf
75 4096 November 10, 2011 18:41:26 login
192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127
79 4096 19 January 2009 16:12:34 crypto_archive
182 7562988 19 January 2009 16:14:06 asdm - 613.bin
184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip
185 4096 19 January 2009 16:15:46 sdesktop
194 1462 19 January 2009 16:15:46 sdesktop/data.xml
186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg
187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p
kg
188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg
189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg

Concerning
Vesta
"Everybody is genius." But if you judge a fish by its ability to climb on a tree, he will live his entire life, believing that this is stupid. "

With the ASA you will be somewhat limited in what you can do for remote-access-VPN.

There are two ways to set that up:

(1) using the SSL - VPN with the AnyConnect Client

To do this, you must license Premium AnyConnect quite expensive for the amount of competitor users you plan to accept or AnyConnect Essentials cheap license which will give you 250 AnyConnect users which is the platform limit.

But for the essential AnyConnect license, you need upgrade your ASA RAM because you need an ASA - latest operating system for it.

But going this path will be the best option.

(2) with the IPSec Client inherited (EasyVPN). The customer is EOL/EOS announced and not all development will get more. But for now, it could be a way to go until you upgrade your ASA.

Here is an example of how to configure your ASA for the old CLient IPSec:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Clientless VPN SSL - policy of another LDAP authentication group

Hi all

I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.

I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool

What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)

=======================================================

AAA-server BL_AD protocol ldap

AAA-server BL_AD (inside) host 172.16.1.1

OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com

LDAP-naming-attribute sAMAccountName

LDAP-login-password *.

LDAP-connection-dn [email protected] / * /

microsoft server type

LDAP-attribute-map CL-SSL-ATT-map

=======================================================

LDAP attribute-map CL-SSL-ATT-map

name of the memberOf IETF-Radius-class card

map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2

========================================================

WebVPN

allow inside

tunnel-group-list activate

internal-password enable

========================================================

internal strategy group WEB-VPN-TEST2

Group WEB-VPN-TEST2 policy attributes

VPN-tunnel-Protocol webvpn

group-lock value WEB-VPN-TEST-Profil2

WebVPN

value of the URL-list WEB-VPN-TEST-BOOKMARK

value of personalization WEB-VPN-TEST2

========================================================

remote access of tunnel-group WEB-VPN-TEST-Profil2 type

attributes global-tunnel-group WEB-VPN-TEST-Profil2

authentication-server-group abcxyz_AD

Group Policy - by default-WEB-VPN-TEST2

tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes

enable WEB-VPN-TEST-Profil2 group-alias

=========================================================

Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".

Thanks in advance.

BR.

Adnan

Hello Adnan,

That's what you do:

internal group WITHOUT ACCESS strategy

attributes of non-group policy

VPN - concurrent connections 0

attributes global-tunnel-group WEB-VPN-TEST-Profil2

Group Policy - by default-NO-ACCESS

Group WEB-VPN-TEST2 policy attributes

VPN - connections 3

Kind regards

ANyConnect Client certificate authentication and verify the Client against the Microsoft AD using DAP via LDAP domain membership

Hello

as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.

Customers using Maschine certificate to authenticate to ASA. It works very well.

Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:

AAA-Server LDAP protocol ldap

AAA-Server LDAP (inside) host ldap.com

LDAP-base-dn DC = x DC = x, DC = x DC = com

LDAP-scope subtree

LDAP-login-password *.

LDAP-connection-dn *.

microsoft server type

I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.

No idea where the problem lies?

Thanks in advance

Hi Klaus,

DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.

So you will need to enable the LDAP authorization in the tunnel - or connect to groups.

Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.

HTH

Herbert

authentication of remote access, vpn and ldap

I have a test environment with 2 hours fireval 5505: the first firewall is remote access VPN server and the Interior of this firewall is a network of domain with a domain controller, DNS server and a workstation. DHCP is disabled and the PC have a static address.outside of the VPN server is attached outside the other ASA 5505 firewall. on the inside of the firewall, there is a workstation.the workstation would be to connect via vpn for remote access on the domain network. I have configured the VPN server for remote access through a wizard and his

configuration is the following

Result of the command: "show running-config"

: Saved

ASA Version 8.2(1)

hostname ciscoasa

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.13.74.5 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns server-group DefaultDNS

domain-name dri.local

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240

access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record vpnldap

network-acl inside_nat0_outbound

aaa-server vpn protocol ldap

aaa-server vpn (inside) host 10.13.74.20

ldap-base-dn DC=DRI,DC=LOCAL

ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=test,cn=users,dc=dri,dc=local

server-type microsoft

http server enable

http 10.13.74.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 10.13.74.9-10.13.74.40 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 10.13.74.20 10.8.2.5

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value dri.local

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d

: end

When I tried to workstation on the internal part of the second firewall (no remote access vpn server) to connect to the vpn, everything is ok. I used the cisco vpn client, but I can't ping domain controller, workstation, I can't use the shared folder on them. Why?

Please help me

Thank you

Thanks for letting me know! Can you please give the station "answered"? Thank you!

LDAP Sun
Experts,

Please let me know how to install the sun LDAP connector and server in OIM 11 g 2.
Refer to this

http://Srini-bellamkonda.blogspot.com/2012/11/installaling-and-configuring-odsee-for.html

Successive connection LDAP fails after the first LDAP authorization: with wrong password
Hello

I am currently integration Oracle CC & B utility to LDAP (Sun Directory Server java - SunOne), but I made a post here because CC & B delegates the task of authentication to the server Weblogic (I user WLS version 10).

In Weblogic, I configured two authentication providers:
1. the principal is the LDAP authentication provider (defined as optional control indicator)
2. secondary education is the default authentication provider (defined as optional control indicator)

Currently, some users of CC & B are stored in LDAP, and some other (more users system) are stored in the default authentication provider.

To help you make the problem more clear, I did the test with followingscenario:
1. user LDUser2 (stored in LDAP) login with correct passwrod-> success
2. the sysuser user (stored in the default authentication provider) connect with incorrect password-> access denied (what is good and normal)
3. the LDUser2 (stored in LDAP) user login with password-> successful OK
4. the sysuser user (stored in the default authentication provider) connect with correct password-> successful OK
5. the user (stored in LDAP) LDUser2 connect with the incorrect password-> denied access, which is normal. However, from this point, the problem starts
6. the user (stored in LDAP) LDUser2 connect with the right password-> rejected access KO is the problem
7. connection (also stored in LDAP as LDUser2) LDUser1 with the right password of the user-> big problem of access denied KO
8. the LDUser7 user (stored in the default authentication provider) connect with the right password-> successful access
9 restart the server resets the situation, but once a user is stored in the LDAP connection with a wrong password (5 point number), attempts by users stored in LDAP fail.

It seems that after the first LDAP authentication with wrong password, all users stored in LDAP connection attempts will fail.

Help, please.
Thank you.

Jeffry
Hello

The connection attempt is made on console weblogic with the same result?

If I'm not wrong, until WLS 10.3 it is a problem reported where once the user connects with password and username incorrect, all attempts after that results in the failure of the connection.

The patch is available with up to 10.3 WLS support

This might be the question however need to check.

MaxPageSize problem/Question about Active Directory in my organization.

Hello guys, I'm having a weird problem with Active Directory in my organization.

Long story short:

In my environment, the MaxPageSize value is the default value (1000), and MaxValRange also has by default (1500).

However, in the Exchange Event Viewer, I see the existing event several times below:

A ldap directory SRV1 Server search results. DOMAIN.COM has exceeded the administrative limit. Only the first 100 entries have been returned successfully by the search request.

My question is: If the MaxPageSize controls the number of objects returned in a single search result, and it is currently set at 1000, why Exchange sees only the first 100 entries of each search?

Any help would be greatly appreciated.

Thanks in advance :-)

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

LDAP on DoD Server?

Similar Questions

Maybe you are looking for