08-27-2009 10:25 PM - edited 03-10-2019 04:39 PM
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership. I'm just stumped with how to kick off the second step to check group membership.
Anyone have a sample config floating around?
08-28-2009 04:48 AM
Hi John,
I went through your detailed explanation and screen shot attached. Your config still need some changes....like scope and LDAP attribute map.
Here is a sample config that you may refer:::
- Configuration for restricting access to a particular windows group on AD
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 1
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy
group-policy
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
.....
.....
tunnel-group
tunnel-group
authentication-server-group LDAP-AD
default-group-policy noaccess
group-policy noaccess attributes
vpn-simultaneous-logins 1
If this doesn't work for you then attach "Sh run" from the ASA in your next reply and debug ldap 255.
HTH
Regards,
JK
08-31-2009 07:03 AM
Hi Jatin,
Thanks for your QUICK reply. I was hoping to work on this over the weekend but had other obligations. I prefer to do this stuff outside of regular business hours - so I'll be testing over the next few evenings. I'll post back with results.
Thanks,
JTM
02-15-2012 12:41 PM
Hi Jatin,
I would also like to setup the same configuration as John. I'm following your config and trying to create those settings in ASDM. However, when creating the ldap attribute-map, "IETF-Radius-Class" is not an option in the drop down box. Please advise?
Thanks,
JR
PS - I have attached a screenshot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: