Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3773
Views
0
Helpful
4
Replies

ASA VPN issue with different Open LDAP Groups

gutekunst
Level 1
Level 1

‎02-23-2010 04:50 PM - edited ‎03-10-2019 04:58 PM

Hi, I have following issue. I am using an  OpenLDAP server to authenticate IPSec VPN Client users. It works to authentivate against an OpenLdap server.  But my problem is, that I want to have two different Group Policies depending on the LDAP group users belonging to. And users not belonging to vpnusr group should not be allowed to establish a VPN at all. I've created a VPN group on the LDAP server,  cn=vpnusr,ou=Groups,dc=example,dc=com. and ou=Users dc=example,dc=com.

I found a lot examples for Microsoft AD with memberOf but did not get it running with Open LDAP. On the ASA, I have tried this (Admin_Users is on of the Policy Groups):

ldap attribute-map OpenLDAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf cn=vpnusr,ou=Groups,dc=example,dc=com Admin_Users
  
aaa-server ldapserver protocol ldap
aaa-server ldapserver (outside) host x.x.x.x
 ldap-base-dn dc=example,dc=com
 ldap-naming-attribute uid
 server-type openldap
 ldap-attribute-map OpenLDAP

If I go to the command line and do a debug ldap 255, and then do a  test authorization, the ASA checks the server, but there's no mention anywhere  of group memberships - it's not checking at all. What have I missed? Does anyone can help me with an example?

Thanks a lot in advance!!!!

ASA version is 8.0(4), ASDM is 6.1(5)51.

Nachricht geändert durch gutekunst

Now I tried it with this configuration (I guess ldap attribute-map should be the problem)...


aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host x.x.x.x
timeout 5
ldap-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-group-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-scope subtree
ldap-naming-attribute uid
server-type openldap
ldap-attribute-map CISCOMAP

tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123

group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl

group-policy adminusers internal
group-policy adminusers attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_Users_splitTunnelAcl

no ldap attribute-map CISCOMAP

ldap attribute-map CISCOMAP
  map-name  cn=sapvpn IETF-Radius-Class
  map-value cn=sapvpn "ou=vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers
  map-value cn=sapvpn "CN=vpnadm,ou=Groups,dc=organistaion,dc=company,dc=de" adminusers


(tried two ways therefore different values)

Labels:
0 Helpful
4 Replies 4

Erick Delgado
Level 1
Level 1

‎03-02-2010 04:16 PM

Hi,

this is the configuration that you need.

ldap attribute-map sapusers
  map-name  memberOf IETF-Radius-Class
  map-value memberOf vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers

group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl
vpn-simultaneous-logins 3


group-policy no_login internal
group-policy no_login  attributes
vpn-simultaneous-logins 0
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
default-group-policy no_login
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123

If you need more assistance do not hesitate to contact me.

0 Helpful

Chris Alavoine
Level 1
Level 1

‎03-29-2010 03:54 AM

HI there,

Did you ever get this working?

I'm attempting a similar setup but am having difficulties adding the memberOf overlay to openLDAP.

Any help much appreciated.

Cheers,

c:)

0 Helpful

gutekunst
Level 1
Level 1
In response to Chris Alavoine

‎03-29-2010 04:26 AM

Hi,

yes get it working with a work around. But not using memberOf (it definitely did not exist ;-) with openLDAP).

I used a radius server (Cisco ACS) in between. Matched LDAP groups to Radius groups and sent Radius attribute back to ASA.

On the ASA i used DAP to match User Groups.

Kind regards

0 Helpful

Chris Alavoine
Level 1
Level 1
In response to gutekunst

‎03-29-2010 04:52 AM

Hi,

Thanks for that info.

Am thinking about using Radius as a middleman myself now as memberOf overlays have me pulling my hair out.

Cisco ACS is a new bit of hardware isn't it? I'm thinking about using freeradius on Ubuntu to serve the same purpose. Is that a bit crazy in your opinion?

Cheers,

c:)

0 Helpful
Customers Also Viewed These Support Documents