×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Monitor only access to ASDM (ASA) for user authenticated via LDAP

Document

Tue, 01/31/2017 - 05:46
Jun 3rd, 2013
User Badges:


Table of Contents 

 

Introduction

We can configure ASA to provide monitor only or read only access, to it's ASDM for a user who authenticates using LDAP.

Configuration

1.       We need to configure a AAA server on the ASA, in the following configuration I have configured and LDAP as AAA server:

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 192.168.26.55

ldap-base-dn DC=MCS55, DC=COM

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com

server-type microsoft

ldap-attribute-map LDAPreadonly

ciscoasa#

2.       Configure an LDAP attribute map, in the following configuration I have granted privilege 6 to the group and privilege 5 to the user:

ciscoasa# sh run ldap attribute-map LDAPreadonly

map-name memberOf IETF-Radius-Service-Type

map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 6

map-name sAMAccountName Privilege-Level

map-value sAMAccountName "ashishv" 5

ciscoasa#

3.       Configure AAA on ASA

ciscoasa# sh run aaa

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LDAP LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

ciscoasa#

ASA is now ready to grant read only access to the user called "ashishv"

4.       On authenticating to ASDM we will get this message, which indicates we have monitor only access.

1.jpg

5.       View of the ASDM once you have access:

2.jpg

Debugs

6.       This is how "debug ldap 255” will look like for a successful user authentication:

ciscoasa#

[45] Session Start

[45] New request Session, context 0xda1861b4, reqType = Authentication

[45] Fiber started

[45] Creating LDAP context with uri=ldap://192.168.26.55:389

[45] Connect to LDAP server: ldap://192.168.26.55:389, status = Successful

[45] supportedLDAPVersion: value = 3

[45] supportedLDAPVersion: value = 2

[45] Binding as ashish AV. varghese

[45] Performing Simple authentication for ashish AV. varghese to 192.168.26.55

[45] LDAP Search:

       Base DN = [DC=MCS55, DC=COM]

       Filter = [sAMAccountName=ashishv]

       Scope   = [SUBTREE]

[45] User DN = [CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com]

[45] Talking to Active Directory server 192.168.26.55

[45] Reading password policy for ashishv, dn:CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com

[45] Read bad password count 0

[45] Binding as ashishv

[45] Performing Simple authentication for ashishv to 192.168.26.55

[45] Processing LDAP response for user ashishv

[45] Message (ashishv):

[45] Authentication successful for ashishv to 192.168.26.55

[45] Retrieved User Attributes:

[45]   objectClass: value = top

[45]   objectClass: value = person

[45]   objectClass: value = organizationalPerson

[45]   objectClass: value = user

[45]   cn: value = ashish AV. varghese

[45]   sn: value = varghese

[45]   givenName: value = ashish

[45]   initials: value = AV

[45]   distinguishedName: value = CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com

[45]   instanceType: value = 4

[45]   whenCreated: value = 20121224152326.0Z

[45]   whenChanged: value = 20130119142646.0Z

[45]   displayName: value = ashishvarghese

[45]   uSNCreated: value = 186542

[45]   memberOf: value = CN=Account Operators,CN=Builtin,DC=MCS55,DC=com

[45]           mapped to IETF-Radius-Service-Type: value = 6

[45]   uSNChanged: value = 190878

[45]   name: value = ashish AV. varghese

[45]   objectGUID: value = ...+...M.`/.....

[45]    userAccountControl: value = 66048

[45]   badPwdCount: value = 0

[45]   codePage: value = 0

[45]   countryCode: value = 0

[45]   badPasswordTime: value = 130030933379843750

[45]   lastLogoff: value = 0

[45]   lastLogon: value = 130030933572968750

[45]   pwdLastSet: value = 130030792063437500

[45]   primaryGroupID: value = 512

[45]   objectSid: value = ............4E'y...&R.Egt...

[45]   adminCount: value = 1

[45]   accountExpires: value = 9223372036854775807

[45]   logonCount: value = 0

[45]   sAMAccountName: value = ashishv

[45]           mapped to Privilege-Level: value = 5

[45]   sAMAccountType: value = 805306368

[45]   userPrincipalName: value = [email protected]

[45]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=MCS55,DC=com

[45]   lastLogonTimestamp: value = 130027602762031250

[45] Fiber exit Tx=561 bytes Rx=2534 bytes, status=1

[45] Session End

Please feel free to comment in case of any query.

Loading.
asvarghe Fri, 09/06/2013 - 06:32
User Badges:

Stuart,


thanks for sharing this.

This is a very creative way of making this scalable.


Regards,

Ashish

Theofilos Tzach... Tue, 01/31/2017 - 05:46
User Badges:

Great guide!

For read-only access to a Group of Users, I tried the commands below:

map-name memberOf Privilege-Level
map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 5

instead of

map-name memberOf IETF-Radius-Service-Type
map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 6
map-name sAMAccountName Privilege-Level
map-value sAMAccountName "ashishv" 5

which worked really well for me

Actions

This Document

Related Content