02-23-2010 04:50 PM - edited 03-10-2019 04:58 PM
Hi, I have following issue. I am using an OpenLDAP server to authenticate IPSec VPN Client users. It works to authentivate against an OpenLdap server. But my problem is, that I want to have two different Group Policies depending on the LDAP group users belonging to. And users not belonging to vpnusr group should not be allowed to establish a VPN at all. I've created a VPN group on the LDAP server, cn=vpnusr,ou=Groups,dc=example,dc=com. and ou=Users dc=example,dc=com.
I found a lot examples for Microsoft AD with memberOf but did not get it running with Open LDAP. On the ASA, I have tried this (Admin_Users is on of the Policy Groups):
ldap attribute-map OpenLDAP
map-name memberOf IETF-Radius-Class
map-value memberOf cn=vpnusr,ou=Groups,dc=example,dc=com Admin_Users
aaa-server ldapserver protocol ldap
aaa-server ldapserver (outside) host x.x.x.x
ldap-base-dn dc=example,dc=com
ldap-naming-attribute uid
server-type openldap
ldap-attribute-map OpenLDAP
If I go to the command line and do a debug ldap 255, and then do a test authorization, the ASA checks the server, but there's no mention anywhere of group memberships - it's not checking at all. What have I missed? Does anyone can help me with an example?
Thanks a lot in advance!!!!
ASA version is 8.0(4), ASDM is 6.1(5)51.
Nachricht geändert durch gutekunst
Now I tried it with this configuration (I guess ldap attribute-map should be the problem)...
aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host x.x.x.x
timeout 5
ldap-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-group-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-scope subtree
ldap-naming-attribute uid
server-type openldap
ldap-attribute-map CISCOMAP
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123
group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl
group-policy adminusers internal
group-policy adminusers attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_Users_splitTunnelAcl
no ldap attribute-map CISCOMAP
ldap attribute-map CISCOMAP
map-name cn=sapvpn IETF-Radius-Class
map-value cn=sapvpn "ou=vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers
map-value cn=sapvpn "CN=vpnadm,ou=Groups,dc=organistaion,dc=company,dc=de" adminusers
(tried two ways therefore different values)
03-02-2010 04:16 PM
Hi,
this is the configuration that you need.
ldap attribute-map sapusers
map-name memberOf IETF-Radius-Class
map-value memberOf vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers
group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl
vpn-simultaneous-logins 3
group-policy no_login internal
group-policy no_login attributes
vpn-simultaneous-logins 0
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
default-group-policy no_login
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123
If you need more assistance do not hesitate to contact me.
03-29-2010 03:54 AM
HI there,
Did you ever get this working?
I'm attempting a similar setup but am having difficulties adding the memberOf overlay to openLDAP.
Any help much appreciated.
Cheers,
c:)
03-29-2010 04:26 AM
Hi,
yes get it working with a work around. But not using memberOf (it definitely did not exist ;-) with openLDAP).
I used a radius server (Cisco ACS) in between. Matched LDAP groups to Radius groups and sent Radius attribute back to ASA.
On the ASA i used DAP to match User Groups.
Kind regards
03-29-2010 04:52 AM
Hi,
Thanks for that info.
Am thinking about using Radius as a middleman myself now as memberOf overlays have me pulling my hair out.
Cisco ACS is a new bit of hardware isn't it? I'm thinking about using freeradius on Ubuntu to serve the same purpose. Is that a bit crazy in your opinion?
Cheers,
c:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide