02-02-2009 12:24 PM - edited 02-21-2020 03:15 AM
I'm trying to configure an ASA5540 to use LDAP for remote access user authorization. I am using certificates for authentication, and using the userPrincipalName field from the certificate for authorization purposes. I am trying to set up a LDAP attirbute map which will only allow a user to connect to VPN if he/she is a member of a specific group. I haven't been able to get this working. The problem I have run into is that even if a user isn't a member of the group I have defined in the LDAP attribute map, the user will be authorized because the user account exists in AD. Any help would be greatly appreciated.
02-02-2009 05:28 PM
Can you post your ldap configuration and your ldap attribute map configuraiton? You need to map the memberOf value to the Radius-IETF-Class which will map to the desired group policy, when there is no match they should fall within the DefaultGroupPolicy (not the exact name) that then will not allow them to connect. please post your config and I will tell you what you are missing.
02-03-2009 05:59 AM
I'm actually not trying to use the LDAP map to put users into a group policy, I am using group urls and the users know which url to use. All I want the LDAP map to do is verify that the user is a member of the group they are trying to VPN with, and deny them access if they aren't. What I've noticed is that even if a user is not a member of the correct group, they will pass authorization.
02-03-2009 07:13 AM
How are you authenticating?
02-03-2009 07:28 AM
Authentication is done by requiring client certificates and using OCSP responders to check for certificate revocation.
02-03-2009 07:50 AM
Ok, So basically you only have authorization required on the tunnel group, but you have not told the device what would be a non authorized state right?
02-03-2009 07:55 AM
Correct. I'm not really sure how to tell the ASA what it should be looking for. It seems like the LDAP attribute map options for IETF-Radius-Class are only for matching AD groups to VPN groups. I've been using Tunneling-Protocols, which does ensure the user connects with the proper method, but doesn't have a true/false option. Any suggestions?
02-03-2009 08:03 AM
When using the ldap map, you can map the memberOf for example to either a tunnel protocol, which is allowed and one which is not, or you can map that to a specific group policy which will have or not a permission to connect, I have made this several times and this is the most viable solution for me in your kind of setup.
02-03-2009 08:11 AM
I am using the memberOf attribute and tying it to the Tunneling-Protocols Cisco Name. Up until now, it seems like the ASA would accept the user even if they weren't a member of the AD group I am pointing it to. In my testing today though, if you aren't a member of the group it will take you to a "Goodbye" page. What gets returned to the ASA when it uses the LDAP attribute map?
02-03-2009 08:57 AM
This should give you an idea of what I am talking about:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html
02-03-2009 09:20 AM
Thanks for your help. After looking through those, I think I am going to have to change some AD settings to get this to work as I envisioned.
04-28-2009 09:36 AM
Hello jgolson,
I'm with the same problem.. i want to allow only the users that are in the VPN group. But.. the ASA seems to allow access for all users not just for that are in the VPN group.
I read the links that imartino sends.
Have you solved this problem? How?
Regards,
Fabio
04-28-2009 09:43 AM
Can you post the config that you have created to restrict the user? what is your policy to restrict the user are you using group policy tunnel protocol? are you using dial in access?
04-28-2009 10:19 AM
Hi Imartino...
Here is the config of the ASA about the aaa, ldap, and VPN... I don't know what is missing.
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN,DC=domain,DC=local VPNPOLICY
Where the VPN is the group that my Users must be to authenticate and have VPN access to the network, If the user isn't in the VPN group of AD the user could not connect.
aaa-server LDAPSERVER protocol ldap
aaa-server LDAPSERVER (inside) host LDAPHOST
ldap-base-dn DC=domain,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 123456
ldap-login-dn CN=asavpn,CN=Users,DC=domain,DC=local
server-type microsoft
ldap-attribute-map CISCOMAP
Where LDAPHOST is the server that have the AD. and the asavpn is the user that have right to authenticate in the AD.
Here is the tunnel-group conf
tunnel-group VPN general-attributes
address-pool VPN-POOL
authentication-server-group LDAPSERVER
default-group-policy VPN
group-policy VPN internal
group-policy VPN attributes
dns-server value 192.168.1.4
vpn-tunnel-protocol IPSec
Here is some part of the debug of ldap auth process.
...
[4288] displayName: value = Fabio Silva
[4288] uSNCreated: value = 15114
[4288] memberOf: value = CN=VPN,DC=domain,DC=local
[4288] mapped to IETF-Radius-Class: value = VPNPOLICY
....
But.. if i remove the user from the VPN group of AD the authentication still success.
What is not good?
Best Regards.
04-28-2009 10:25 AM
That is because the user is assigned to the default group-policy that is configured on the tunnel group it is connecting to. You need to make this default group-policy to somehow avoid the user to connect if they are not mapped to the correct group-policy, what I use to do this is setting the tunnel-protocol to something different than IPSec
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: