ASA 8.2 - Kerberos vs. LDAPS

jpecarski · ‎06-11-2010

I'm involved in an enterprise deployment of Cisco SSL VPN and NAC. A little background info...

This SSL service will host the customer's own remote access as well as other partners. All partners will have active directory accounts within the customers domain but will not be using laptops attached to the domain.

The customer is utilizing both SecurID and domain authentication to access the network.

Today I currently have the following configured:

- RSA SecurID Authentication

- LDAPS authentication against a Global Catalogue server on TCP/3269

- Authorization to the LDAP for group matching

Is there any advantage to using Kerberos authentication instead of LDAPS? To use Kerberos do the workstations need to be on the domain to authenticate?

I also have a requirement to use password management - users must be able to change their passwords upon expiry or when their password is reset. Can this be done with Kerberos? Speaking with Cisco, it doesn't appear to be possible with LDAP if I'm using a Global Catalogue server. Can this be confirmed?

Thanks for any help.

Jay Young · ‎06-23-2010

Hi,

Being able to change the password of a user through the ASA can be done two ways either through Radius or LDAP over SSL.

It sounds like the RADIUS server you are using is an RSA SDI proxy. As far as I know there is no way the SDI server can update your domain password. It would be the AAA server's responsibility.

Kerberous can only be used for authentication as it doesn't carry any authorization attributes.

LDAP over SSL will allow you to do authentication, authorization, and password management. In as far as whether a global catalog server will be able to update a specific domain that would be a question for Microsoft. If you are querying a domain controller it will work (I have set this up with an ASA against a Win2k3 server). On a side note, to do password management you must configure "password-management" on the tunnel-group on the ASA and you MUST have the domain controllers certificate installed into the ASA in a trustpoint store.

-Jay

jpecarski · ‎06-24-2010

Thanks Jay....

A couple of more questions...

For the ASA to perform password management - does the service account need account operator privileges? As far as the certificate is concerned, do I need both the Public certificate of the server as well as the CA certificate? Since I have two servers configured in the server-group I'm assuming both the public certificates are required, one or each server?

Jay Young · ‎06-25-2010

Q1) For the ASA to perform password management - does the service account need account operator privileges?

A1) If you are using RADIUS - the service account that runs the radius server would need to be able to update the database

A2) If you are using LDAP - I am not 100% percent sure (it could be done with the user that just logged on, i.e. he is just updating his own account) or with the user that "ldap-login-dn" is configured with. I do know that the "ldap-login-dn" user needs readable access to the whole domain.

Q2) As far as the certificate is concerned, do I need both the Public certificate of the server as well as the CA certificate?

A2) Since the ASA needs to validate the server certificate you *should* only need the CA cert. It wouldn't hurt to have both server certs and the CA cert in the config. Its really easy to import these into the CA certificate section in ASDM.