Cisco ASA - Authenticate users of a specific LDAP group

Unanswered Question
Apr 19th, 2010

Hi There,

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510:

access-list PublicVLAN_authentication remark Authenticate user from Hotspot (VLAN3) before allowing HTTP traffic
access-list PublicVLAN_authentication extended permit tcp 192.168.12.0 255.255.255.0 any eq www

aaa authentication match PublicVLAN_authentication PublicVLAN LDAP_HOTSPOT

aaa-server LDAP_HOTSPOT protocol ldap
aaa-server LDAP_HOTSPOT (inside) host XXXXXX
ldap-base-dn CN=Users, DC=XXXX,DC=XXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password xxxx
ldap-login-dn CN=xxxx,CN=Users,DC=xxxxx,DC=xxxxx
server-type microsoft

This is working correctly and I can authenticate all users in my domain.

Now I've created a new LDAP Group named http_authorized_users and I've associated users who are permitted to surf the web to it.

How can I specify to authenticate just users member of a specific LDAP group?

As you can see in the image I've my group and I've associated the user TestInterno, but how can I modify my LDAP_HOTSPOT to authenticate just user who are member of the http_authorized_users group (in the example below just the user TestInterno is associated to the group)?

httpgroup.gif

If not possible with LDAP, which other solution may I have to do this?

Thanks a lot!


Sergio

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1.5 (2 ratings)
Loading.
dtochilovsky Tue, 04/20/2010 - 09:23

Sergio, try changing the ldap-base-dn to the http_authorized_users group :

ldap-base-dn CN=http_authorized_users CN=Users, DC=XXXX,DC=XXX

See if that works.

Dmitry.

sergio.paganoni Tue, 04/20/2010 - 22:54

Hi Dmitry,

It was the first thing I tried, but unfortunately it didnt work, as seen in my configuration I search the username in the attribute sAMAccountName and in the Group the user are part of the member attribute....

I also tried to change de Attirbute Name to "member" but it didnt work, probably because he cant search between multiple users inside member, and he also need to "take" the right one and authenticate it...

Debugging with

debug ldap 255

Result:

[1879] Session Start
[1879] New request Session, context 0xd7ec6560, reqType = Authentication
[1879] Fiber started
[1879] Creating LDAP context with uri=ldap://192.168.1.70:389
[1879] Connect to LDAP server: ldap://192.168.1.70:389, status = Successful
[1879] supportedLDAPVersion: value = 3
[1879] supportedLDAPVersion: value = 2
[1879] Binding as FirewallSSL
[1879] Performing Simple authentication for XXXXXXX to 192.168.1.70
[1879] LDAP Search:
        Base DN = [CN=Users,DC=xxxx,DC=xxx]
        Filter  = [sAMAccountName=testinterno]
        Scope   = [SUBTREE]
[1879] User DN = [CN=TestInterno,CN=Users,DC=xxxx,DC=xxxx]
[1879] Talking to Active Directory server 192.168.1.70
[1879] Reading password policy for testinterno, dn:CN=TestInterno,CN=Users,DC=xxx,DC=xxxx
[1879] Read bad password count 0
[1879] Binding as testinterno
[1879] Performing Simple authentication for testinterno to 192.168.1.70
[1879] Processing LDAP response for user testinterno
[1879] Message (testinterno):
[1879] Authentication successful for testinterno to 192.168.1.70
[1879] Retrieved User Attributes:
[1879]  objectClass: value = top
[1879]  objectClass: value = person
[1879]  objectClass: value = organizationalPerson
[1879]  objectClass: value = user
[1879]  cn: value = TestInterno
[1879]  description: value = Per test Anyconnect - da cancellare
[1879]  givenName: value = TestInterno
[1879]  distinguishedName: value = CN=TestInterno,CN=Users,DC=xxx,DC=xxx
[1879]  instanceType: value = 4
[1879]  whenCreated: value = 20100413124838.0Z
[1879]  whenChanged: value = 20100413124853.0Z
[1879]  displayName: value = TestInterno
[1879]  uSNCreated: value = 25123467
[1879]  memberOf: value = CN=http_authorized_users,CN=Users,DC=xxxx,DC=xxxx
[1879]  memberOf: value = CN=AnyconnectInterni,CN=Users,DC=xxxxx,DC=xxxx
[1879]  uSNChanged: value = 25123477
[1879]  name: value = TestInterno
[1879]  objectGUID: value = .am SVZF..@8.*..
[1879]  userAccountControl: value = 66048
[1879]  badPwdCount: value = 0
[1879]  codePage: value = 0
[1879]  countryCode: value = 0
[1879]  badPasswordTime: value = 129161569854641952
[1879]  lastLogoff: value = 0
[1879]  lastLogon: value = 129161570079951568
[1879]  pwdLastSet: value = 129156365187480989
[1879]  primaryGroupID: value = 513
[1879]  objectSid: value = ............qO.H.!N.........
[1879]  accountExpires: value = 9223372036854775807
[1879]  logonCount: value = 0
[1879]  sAMAccountName: value = TestInterno
[1879]  sAMAccountType: value = 805306368
[1879]  userPrincipalName: value = [email protected]
[1879]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxx,DC=xxx
[1879] Fiber exit Tx=542 bytes Rx=2258 bytes, status=1
[1879] Session End

I see that the LDAP server return all the attributes I should need, but I  don't know how to configure it properly!

As you see authentication is successfull (for all the users) but what's the way to authenticate just users who are member of http_authorized_users?

sergio.paganoni Wed, 04/21/2010 - 23:33

Hi,

Thanks for the reply, unfortunatelly in the website you mentioned there is nothing on LDAP Group but just on LDAP authentication via ASA...

Any others?

sergio.paganoni Thu, 04/22/2010 - 07:35

Yes, I've used this procedure to bind the LDAP group to a specific group policy for the SSL VPN and, as I've understood, this works only for VPN...

How can I bind a Group Policy to my authentication rule? I think is not possibile, but there are surely other way to do what I need, not?

tthulin Wed, 09/01/2010 - 20:48

Did you ever get a solution to this issue. We are running into a similar situation. We only allow users of a very specific group to come into VPN.Our method so far is as follows. If someone has run across a better method.. Please let me know.. this feels a little.. awkward.

Our ipsec policy defaults users to a group policy that does not allow IPSEC, or any tunnel protocols, but during the ipsec auth process we catch the auth with an ldap attribute map. This map changes the group policy of the giving user to a policy that allows ipsec.

In essence users will be denied access unless the ldap attribute matches. This method does work for us, but there has to be a better, cleaner way.

Thank you,

Tim

brian.dickerson... Tue, 09/14/2010 - 07:50

I also use an ldap attribute map.  In my case, the ldap attribute map matches to a group policy, and that group policy maps to an assigned address pool.  So, if you were a defined user in an undefuned group, you would not receive an IP address from the concentrator.  This lets me use a single attribute map for a large number of different groups.  Quick example:

aaa-server user-LDAP (outside) host x.x.x.x
ldap-attribute-map User2LDAP

ldap attribute-map User2LDAP
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=XXXXXXXXXX" ABC_User
  map-value ********** "cn=XXXXXXXXXX" DEF_User
 
 
group-policy ABC_User internal
group-policy ABC_User attributes
address-pools value ABC-User-Pool

group-policy DEF_User internal
group-policy DEF_User attributes
address-pools value DEF-User-Pool

trustcisco Wed, 09/22/2010 - 04:44

Hello,

Any updates regarding this issue ? i have read several documents about the LDAP Attributes. Most of them map the AD/LDAP attribute memberOf to the ASA attribute CVPN3000-Radius-IETF-Class. However this attribute cannot be found to 8.3, neither the IETF-Radius-Class.

Thanks,

Jim.

liboucher Tue, 11/23/2010 - 07:27

Hi Jim,

Although IETF-Radius-Class cannot be found in ASDM, you can use it through CLI

ciscoasa(config)# ldap attribute-map grp_SSL
ciscoasa(config-ldap-attribute-map)#   map-name  memberOf ?

ldap mode commands/options:
cisco-attribute-names:
  Access-Hours                                 
  Allow-Network-Extension-Mode         

... 
  IE-Proxy-Method                              
  IE-Proxy-Server                              
  IETF-Radius-Class                            
  IETF-Radius-Filter-Id           
           

Lionel

Actions

This Discussion