Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MS-LDAP AUTHETICATION

Hi all,

I need to do authetication of user by Microsoft LDAP (Active Directory). However I am not able to identify what meaning of NAMIG ATTRIBUTE(S).

Someone know how can I find this attribute to works with MS-LDAP?

3 REPLIES
Gold

Re: MS-LDAP AUTHETICATION

not sure what you're asking for. here's a link for active directory ldap attributes:

http://computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

what are you using ldap authentication for? admin/telnet/ssh/https access to the device? remote vpn access authentication?

New Member

Re: MS-LDAP AUTHETICATION

Thanks for information!

I am using LDAP for http, https and vpn access authetication..

Tks

Gold

Re: MS-LDAP AUTHETICATION

i wrote this document up a while back for a client. maybe it has something useful to you:

LDAP VPN Authentication

&

Group Policy Assignment on the ASA

The following links were useful in creating the configuration for LDAP authentication and group policy assignment:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

There are a few caveats when configuring this on the ASA. The LDAP account used to bind and authenticate users is based on the display name in Active Directory, not the username, and should contain no spaces. This account must either be in the built-in Account Operators group, or assigned the change password permissions in Active Directory, if using the password management feature, otherwise, a regular domain account may be used. To see what exactly should be used in the aaa-server LDAP configuration, run the following command from a DOS prompt on the Windows AD server:

dsquery user -samid username

The output of this command should be used in the aaa-server section for the LDAP server.

Spaces are allowed in the LDAP attribute mappings, however, as long as quotations are used around the entire LDAP path. The 'memberOf' attribute is the AD LDAP attribute used to map to the specific group-policy on the ASA appliance.

Password-management, the ability for the remote VPN user to change their Active Directory password relies on the use of LDAP over SSL, as seen in the example configuration that follows at the end of this document. Once users are assigned their group polices, any configuration under that group-policy is applied to them as usual. This can include VPN filters (ACL's), a different DHCP scope, different DNS servers, etc. Most problems associated with this configuration can be traced back to the LDAP syntax used.

An example VPN configuration follows, using LDAP as the backend authentication server to assign group-policies:

crypto dynamic-map REMOTEVPN 5 set transform-set ets3des

crypto map emap 65535 ipsec-isakmp dynamic REMOTEVPN

ldap attribute-map CISCOMAP

map-name memberOf IETF-Radius-Class

map-value memberOf "CN=VPNGROUP1,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP1

map-value memberOf "CN=VPNGROUP2,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP2

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host x.x.x.x

ldap-base-dn DC=domain,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=asaadmin,CN=Users,DC=domain,DC=com

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map CISCOMAP

ip local pool vpnpool 192.168.0.1-192.168.0.254 mask 255.255.255.0

access-list acl1_name permit ip 192.168.0.0 255.255.255.0 x.x.x.x z.z.z.z

access-list acl2_name permit ip 192.168.0.0 255.255.255.0 y.y.y.y z.z.z.z

tunnel-group vpngroup type ipsec-ra

tunnel-group vpngroup general-attributes

address-pool vpnpool

authentication-server-group LDAP

password-management

tunnel-group vpngroup ipsec-attributes

pre-shared-key *

group-policy VPNGROUP1 internal

group-policy VPNGROUP1 attributes

dns-server value x.x.x.x

vpn-tunnel-protocol IPSec

default-domain value domain.com

vpn-filter value acl1_name

group-policy VPNGROUP2 internal

group-policy VPNGROUP2 attributes

dns-server value x.x.x.x

vpn-tunnel-protocol IPSec

default-domain value domain.com

vpn_filter value acl2_name

361
Views
0
Helpful
3
Replies
CreatePlease to create content