Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN issue with different Open LDAP Groups

Hi, I have following issue. I am using an  OpenLDAP server to authenticate IPSec VPN Client users. It works to authentivate against an OpenLdap server.  But my problem is, that I want to have two different Group Policies depending on the LDAP group users belonging to. And users not belonging to vpnusr group should not be allowed to establish a VPN at all. I've created a VPN group on the LDAP server,  cn=vpnusr,ou=Groups,dc=example,dc=com. and ou=Users dc=example,dc=com.

I found a lot examples for Microsoft AD with memberOf but did not get it running with Open LDAP. On the ASA, I have tried this (Admin_Users is on of the Policy Groups):

ldap attribute-map OpenLDAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf cn=vpnusr,ou=Groups,dc=example,dc=com Admin_Users
 
aaa-server ldapserver protocol ldap
aaa-server ldapserver (outside) host x.x.x.x
ldap-base-dn dc=example,dc=com
ldap-naming-attribute uid
server-type openldap
ldap-attribute-map OpenLDAP

If I go to the command line and do a debug ldap 255, and then do a  test authorization, the ASA checks the server, but there's no mention anywhere  of group memberships - it's not checking at all. What have I missed? Does anyone can help me with an example?

Thanks a lot in advance!!!!

ASA version is 8.0(4), ASDM is 6.1(5)51.

Nachricht geändert durch gutekunst

Now I tried it with this configuration (I guess ldap attribute-map should be the problem)...


aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host x.x.x.x
timeout 5
ldap-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-group-base-dn ou=IES,dc=organisation,dc=company,dc=de
ldap-scope subtree
ldap-naming-attribute uid
server-type openldap
ldap-attribute-map CISCOMAP

tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123

group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl

group-policy adminusers internal
group-policy adminusers attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_Users_splitTunnelAcl

no ldap attribute-map CISCOMAP

ldap attribute-map CISCOMAP
  map-name  cn=sapvpn IETF-Radius-Class
  map-value cn=sapvpn "ou=vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers
  map-value cn=sapvpn "CN=vpnadm,ou=Groups,dc=organistaion,dc=company,dc=de" adminusers


(tried two ways therefore different values)

Everyone's tags (6)
4 REPLIES
New Member

Re: ASA VPN issue with different Open LDAP Groups

Hi,

this is the configuration that you need.

ldap attribute-map sapusers
  map-name  memberOf IETF-Radius-Class
  map-value memberOf vpnusr,cn=sapvpn,ou=Users,dc=organisation,dc=company,dc=de" sapusers

group-policy sapusers internal
group-policy sapusers attributes
vpn-tunnel-protocol IPSec
!vpn-filter value acl1_name
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_Users_splitTunnelAcl
vpn-simultaneous-logins 3


group-policy no_login internal
group-policy no_login  attributes
vpn-simultaneous-logins 0
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
authentication-server-group LDAP
password-management
default-group-policy no_login
tunnel-group vpngroup ipsec-attributes
pre-shared-key test123

If you need more assistance do not hesitate to contact me.

New Member

Re: ASA VPN issue with different Open LDAP Groups

HI there,

Did you ever get this working?

I'm attempting a similar setup but am having difficulties adding the memberOf overlay to openLDAP.

Any help much appreciated.

Cheers,

c:)

New Member

Re: ASA VPN issue with different Open LDAP Groups

Hi,

yes get it working with a work around. But not using memberOf (it definitely did not exist ;-) with openLDAP).

I used a radius server (Cisco ACS) in between. Matched LDAP groups to Radius groups and sent Radius attribute back to ASA.

On the ASA i used DAP to match User Groups.

Kind regards

New Member

Re: ASA VPN issue with different Open LDAP Groups

Hi,

Thanks for that info.

Am thinking about using Radius as a middleman myself now as memberOf overlays have me pulling my hair out.

Cisco ACS is a new bit of hardware isn't it? I'm thinking about using freeradius on Ubuntu to serve the same purpose. Is that a bit crazy in your opinion?

Cheers,

c:)

3207
Views
0
Helpful
4
Replies