LDAP Authentication for CLI and ASDM Access

Unanswered Question
Feb 13th, 2009

Greetings All,

I have setup the LDP authentication for VPN access using LDP and mapping Group-Policy based on the "memberOf" attribute. I would also like to use LDAP authentication into CLI and ASDM, anyone know the Attriutes I need to set for that? I figure it has something to do the Cisco AV pair, priv-lvl=15 or something like that..

thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Ivan Martinon Fri, 02/13/2009 - 18:30

Hey, first thing to have in mind is that the Firewalls, namely asa and pix do not support exec authorization in the way IOS does; meaning that you will not be placed into the privilege level you would expect by passing privilege level 15 to the user. The exec authorization that the firewalls will do will be one in which you will be checked for access to the cli or not. In other words using the Service-Type values admin, remote-access and nas-prompt you will be checked to whether you are authorized to access the console/CLI and asdm (admin) only console/CLI (nas-prompt) and only remote access and no cli ASDM access (remote-access)

So that been said, you need to make whatever value you define on your ldap setup to the radius service-type attributes, defining a value of 6 for admin and 7 for nas-prompt.. and I can't remember which is the value for remote-access. And after doing so you will need to define the command aaa authorization exec auth-server which is depicted on the following link:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

On a side note, you might find a little caveat when using the nas-prompt value for asdm access restriction, you will find out that you will be able to access it in full mode and not as how the link shows.

HTH

melcara Tue, 03/03/2009 - 09:16

Thanks for your ideas...

I have been testing out today and apparently the service-type is not supported in the LDAP mapping.

But you can do this....

aaa authentication enable console test-ad

aaa authentication telnet console test-ad

aaa authorization command LOCAL

aaa-server test-ad (inside) host a.b.c.d

ldap-base-dn CN=Users,DC=test,DC=int

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=asa ldap,CN=users,DC=test,DC=int

server-type microsoft

ldap-attribute-map AD-map1

ldap attribute-map AD-map1

map-name memberOf Privilege-Level

map-value memberOf "CN=ASA Admin Group,CN=Users,DC=test,DC=int" 15

this sets the priv level...the you can control commands that way.

I would like to know now...is the a quick easy way to restrict all commands at priv level 1 and 0...so the user really can't enter any command or see commands with the "?"...

thanks

Ivan Martinon Tue, 03/03/2009 - 09:22

The key point is that the value of the service type needs to be taken from any attribute defined on LDAP (can be anyting as long as it has value 1 or 6) and then you map this to IETF-Radius-Service Type or something like that.

For command authorization TACACS is the only method.

melcara Tue, 03/03/2009 - 14:08

The problem is the Auth-Service-Type is not supported as an ldap attribute that can be mapped too...I tried it.

the ASA documentation says to do it, but in the features supported list, the attribute is not supported.

melcara Sat, 03/21/2009 - 10:08

I looked at this again today, and I see what you are pointing me too, but the row in the table of supported features show the Auth-Service-Type is not supported. All cell in the column are blank and I tried a few thinks and no avail..

melcara Sat, 03/21/2009 - 11:48

I finally figured this out...

This config below sets up the ASA to authentication to AD-LDAP (and other LDAP's) for local ASDM, SSH, CLI, and Enable access.

aaa authentication http console ldap2

aaa authentication serial console ldap2

aaa authentication ssh console ldap2

aaa authentication telnet console ldap2

aaa authentication enable console ldap2

aaa authorization exec authentication-server

aaa-server ldap2 (inside) host 10.1.1.1

ldap-base-dn dc=test,dc=int

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=FW_ACCOUT,OU=Firewall,dc=test,dc=int

server-type microsoft

ldap-attribute-map TEST2

ldap attribute-map TEST2

map-name memberOf IETF-Radius-Service-Type

map-value memberOf CN=IT,OU=Firewall,DC=test,DC=int 6

map-value memberOf CN=Staff,OU=Firewall,DC=test,DC=int 5

the key commands are ...

aaa authorization exec authentication-server

ldap attribute-map TEST2

map-name memberOf IETF-Radius-Service-Type

map-value memberOf CN=IT,OU=Firewall,DC=test,DC=int 6

map-value memberOf CN=Staff,OU=Firewall,DC=test,DC=int 5

Here is the URL that finally put me on track....

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

the key is the service types.....

RADIUS or LDAP (mapped) users-Use the IETF RADIUS numeric Service-Type attribute which maps to one of the following values. (To map LDAP attributes, see the "LDAP Attribute Mapping" section on page 13-15.)

-Service-Type 6 (admin)-Allows full access to any services specified by the aaa authentication console commands.

-Service-Type 7 (nas-prompt)-Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.

-Service-Type 5 (remote-access)-Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their remote-access sessions.

next step...restrict users to only level 7....

Ivan Martinon Mon, 03/23/2009 - 08:30

Mhhh I tried this several times on the past, you might run into an issue in which regardless of them being assigned to the right service type (7) they will still have access to ASDM configuration.

Actions

This Discussion