Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Remote Access Authentication with LDAP Server

Thank you in advance for your help.

I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.

The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.

extvpnasa5510#

[243] Session Start

[243] New request Session, context 0xd5713fe0, reqType = 1

[243] Fiber started

[243] Creating LDAP context with uri=ldaps://130.18.22.44:636

[243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful

[243] supportedLDAPVersion: value = 2

[243] supportedLDAPVersion: value = 3

[243] No Login DN configured for server 130.18.22.44

[243] Binding as administrator

[243] Performing Simple authentication for  to 130.18.22.44

[243] LDAP Search:

        Base DN = [ou=employees,o=msues]

        Filter  = [uid=vpntest]

        Scope   = [SUBTREE]

[243] User DN = [uid=vpntest,ou=employees,o=msues]

[243] Talking to iPlanet server 130.18.22.44

[243] No results returned for iPlanet global password policy

[243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1

[243] Session End

extvpnasa5510#

[244] Session Start

[244] New request Session, context 0xd5713fe0, reqType = 1

[244] Fiber started

[244] Creating LDAP context with uri=ldaps://130.18.22.44:636

[244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful

[244] supportedLDAPVersion: value = 2

[244] supportedLDAPVersion: value = 3

[244] No Login DN configured for server 130.18.22.44

[244] Binding as administrator

[244] Performing Simple authentication for  to 130.18.22.44

[244] LDAP Search:

        Base DN = [ou=employees,o=msues]

        Filter  = [uid=vpntest]

        Scope   = [SUBTREE]

[244] User DN = [uid=vpntest,ou=employees,o=msues]

[244] Talking to iPlanet server 130.18.22.44

[244] Binding as user

[244] Performing Simple authentication for vpntest to 130.18.22.44

[244] Processing LDAP response for user vpntest

[244] Authentication successful for vpntest to 130.18.22.44

[244] Retrieved User Attributes:

[244]   sn: value = test user

[244]   givenName: value = vpn

[244]   uid: value = vpntest

[244]   cn: value = vpn test user

[244]   objectClass: value = top

[244]   objectClass: value = person

[244]   objectClass: value = organizationalPerson

[244]   objectClass: value = inetOrgPerson

[244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1

[244] Session End

Everyone's tags (3)
513
Views
0
Helpful
0
Replies