cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9045
Views
10
Helpful
13
Replies

VPN Authentication via LDAP with AD Group Membership.

d.eberwein
Level 1
Level 1

i want to authenticate my SSL-VPN connections against LDAP (Active Directory). Now, i'm able to query against a username, but i'm not able to query if the user exists AND if the user is in an special AD group.

is this possible?

13 Replies 13

Jagdeep Gambhir
Level 10
Level 10

Yes that is possible,

Example

cn=users is the container that users are in. dc=ad1, dc=test is basically

the domain. Think of those as ad1.test or cisco.com

The rest are attributes with-in active directory/LDAP. These are things that

the domain administrator should be able to give you.

Basically, let say you have a AD server for cpm.com. If you did a standard AD install that has the typical users group, etc then you would want to have make the following changes

User Directory subtree: cn=users,dc=cpm,dc=com

Group Directory subtree:cn=users,dc=cpm,dc=com

Hostname, the IP of your Domain controller

Admin DN: cn=administrator,cn=users,dc=cpm,dc=com

Regards,

~JG

Please rate if helps

thank you for fast answering.

i don't understand this.

on my ASA i have configured the LDAP server and as "ldap−naming−attribute" i have choosen "sAMAccountName". now, the username is queried.This is ok. But now, i want to query not only the username if existing, rather also a group wheter the user is in this group.

Can i do this with the "ldap attribute map"??

If yes, how can i do this.

Here it is

****************************************************************************

******************************************************

mapping LDAP memberOf (group) to ASA/PIX cVPN3000-IETF-Radius-Class

Note: The ASA/PIX uses the Cisco LDAP attribute cVPN3000-IETF-Radius-Class to enforce policies from a specific group-policy for Remote Access VPN sessions (IPSec, SVC, WebVPN Clientless). The LDAP attribute is equivalent to Radius Class (25) attribute.

1) On the ASA create a an ldap-attribute-map with the minimum mapping and associate it with the ldap aaa-server.

5520-1(config-aaa-server-host)# show runn ldap

ldap attribute-map Map1

map-name memberOf cVPN3000-IETF-Radius-Class

map-value memberOf CN=AD-Group1,CN=Users,DC=CompanyA,DC=com

ASA-Group1-Allow-Access

map-value memberOf CN=AD-Group2,CN=Users,DC=CompanyA,DC=com

ASA-Group2-Deny-Access

5520-1(config-aaa-server-host)#

2) What is being enforced with the above mapping?

1) user1 in AD group AD-Group1 will be placed-landed on ASA group-policy ASA-Group1-Allow-Access . In this ASA group then you can set vpn-tunnel-protocol to allow only svc and webvpn types for example.

2) user2 in AD group AD-Group2 will be placed-landed on ASA group-policy ASA-Group2-Deny-Access . In this ASA group then you can set vpn-tunnel-protocol to allow only ipsec types for example. Therefore

svc/webvpn types would be disallowed.

Note: If the AD user is part of multiple AD groups, make sure the AD user's memberof/group of interest is at the top of the list ,since as of 7.2.x , the appliance only enforces the 1st memberOf attribute that is parsed.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/extsvr.html

Regards,

~JG

The single AD group (memberOf) limitation will be removed in 7.3 where we

are able to make policy decisions based on multiple AD groups.

Thanks for fast answering.

is it possible to only map an LDAP-Group with "Allow Access" without mapping a LDAP-Group with "No-Access".

I only want to move users to the "Allow Access" Group in Active Directory without moving all other Clients to the "No-Access" Group.

Is this possible???

Thanks

You mentioned support for multiple AD groups in v7.3. Do you have an idea when v7.3 will be released?

Also, Do you know if support for members of multiple groups will be available on the ACS too? Right know, if a user belongs to multiple groups within the AD, I have an ACS-HR, ACS-Payroll mapped to an ACS HR+Payroll group then I use the combined downloadable ACLs for this access. But when you have 30 servers/Apps or services to control and users can be members of many groups it turns into a group scalability issue very quick.

If the ACS could check all group memberships and aggregate defined ACLs from each group and return to ASA this would a positive step in the right direction (more suitable for an Enterprise solution).

Thanks in advance for you feedback.

fawadnoorkhan
Level 1
Level 1

Why arent you using Cisco Secure ACS to make life much easier.. I can give you great help in the same scenario as you want but through Cisco Secure ACS.

We have the same issue but our budget does not allow to spend more ( $ 6000) for this project. IAS is working fine but we must find a solution for it.

Fawadnoorkan,

I am trying to do exactly this with ACS. I can get users to authenticate to Windows, but I want to limit it only to a specific Windows AD group. When I setup a group mapping in ACS, for the AD group "vpnusers", then ACS says "vpnusers,*" and it lets any user in. Why does the * appear? I only want members of the vpnusers group to have access.

Thanks!

Dan

If your group mapping is not working, that is a separate issue.

Answer to your question about "vpnusers,*".

It means, all those users who have membership to group "vpnusers" on AD should get mapped to this group, * means, other then "vpnusers" group membership, that user can have membership to any other group.

But above mentioned mapping will only come into effect if users has "vpnusers" group membership.

Which is quite obvious, as generally, every users has membership to Domain Users. And in a practical scenario, a user on AD may be required to have member hip to many group.

We cannot remove "*", and is by design on ACS.

In your case, check the order of mapping, as i t is very important, and works similar to access list, top to bottom.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538

"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."

Group Mapping Order:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940485

Regards,

Prem

Thanks for the explanation of the "*" Prem. I guess my problem is with the Group mapping. It doesn't seem to matter if the Active Directory user is a member of the AD group "vpnusers" or not, the ACS still lets them in. It's as if the ACS isn't even checking for the AD group vpnusers.

Thanks,

Dan

Are you using external group policy or local for VPN configuration.

Secondly, about the mapping, you can always set DENY to the DEFAULT group. Because the order of the mapping will always ALLOW the REST of AD groups to be mappes to DEFAULT group of ACS. So set the consfigurations to deny anything to default group.

Hi Dan,

I cannot deny that, it might be something is not working right with ACS group mapping. Because recently I saw one instance in which no matter what group mapping you do, it always mapped user to Group 0 [Default Group]

I am still looking into it. To be specific, I experienced this on v4.1.1 with patch 5

If I find something I'll let you know.

Regards,

Prem

Here's an update, if we have Group Mapping configured on ACS, but its not working,

Check the group type of the Group on AD, if its Domain Local or something else, try changing it to Universal group type. Then try.

Also, just wanted to update the 4.1.4 is out, so go grab it.

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: