I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510:
access-list PublicVLAN_authentication remark Authenticate user from Hotspot (VLAN3) before allowing HTTP traffic
access-list PublicVLAN_authentication extended permit tcp 192.168.12.0 255.255.255.0 any eq www
aaa authentication match PublicVLAN_authentication PublicVLAN LDAP_HOTSPOT
aaa-server LDAP_HOTSPOT protocol ldap
aaa-server LDAP_HOTSPOT (inside) host XXXXXX
ldap-base-dn CN=Users, DC=XXXX,DC=XXX
This is working correctly and I can authenticate all users in my domain.
Now I've created a new LDAP Group named http_authorized_users and I've associated users who are permitted to surf the web to it.
How can I specify to authenticate just users member of a specific LDAP group?
As you can see in the image I've my group and I've associated the user TestInterno, but how can I modify my LDAP_HOTSPOT to authenticate just user who are member of the http_authorized_users group (in the example below just the user TestInterno is associated to the group)?
If not possible with LDAP, which other solution may I have to do this?
Thanks a lot!
Sergio, try changing the ldap-base-dn to the http_authorized_users group :
ldap-base-dn CN=http_authorized_users CN=Users, DC=XXXX,DC=XXX
See if that works.
It was the first thing I tried, but unfortunately it didnt work, as seen in my configuration I search the username in the attribute sAMAccountName and in the Group the user are part of the member attribute....
I also tried to change de Attirbute Name to "member" but it didnt work, probably because he cant search between multiple users inside member, and he also need to "take" the right one and authenticate it...
debug ldap 255
 Session Start
 New request Session, context 0xd7ec6560, reqType = Authentication
 Fiber started
 Creating LDAP context with uri=ldap://192.168.1.70:389
 Connect to LDAP server: ldap://192.168.1.70:389, status = Successful
 supportedLDAPVersion: value = 3
 supportedLDAPVersion: value = 2
 Binding as FirewallSSL
 Performing Simple authentication for XXXXXXX to 192.168.1.70
 LDAP Search:
Base DN = [CN=Users,DC=xxxx,DC=xxx]
Filter = [sAMAccountName=testinterno]
Scope = [SUBTREE]
 User DN = [CN=TestInterno,CN=Users,DC=xxxx,DC=xxxx]
 Talking to Active Directory server 192.168.1.70
 Reading password policy for testinterno, dn:CN=TestInterno,CN=Users,DC=xxx,DC=xxxx
 Read bad password count 0
 Binding as testinterno
 Performing Simple authentication for testinterno to 192.168.1.70
 Processing LDAP response for user testinterno
 Message (testinterno):
 Authentication successful for testinterno to 192.168.1.70
 Retrieved User Attributes:
 objectClass: value = top
 objectClass: value = person
 objectClass: value = organizationalPerson
 objectClass: value = user
 cn: value = TestInterno
 description: value = Per test Anyconnect - da cancellare
 givenName: value = TestInterno
 distinguishedName: value = CN=TestInterno,CN=Users,DC=xxx,DC=xxx
 instanceType: value = 4
 whenCreated: value = 20100413124838.0Z
 whenChanged: value = 20100413124853.0Z
 displayName: value = TestInterno
 uSNCreated: value = 25123467
 memberOf: value = CN=http_authorized_users,CN=Users,DC=xxxx,DC=xxxx
 memberOf: value = CN=AnyconnectInterni,CN=Users,DC=xxxxx,DC=xxxx
 uSNChanged: value = 25123477
 name: value = TestInterno
 objectGUID: value = .am SVZF..@8.*..
 userAccountControl: value = 66048
 badPwdCount: value = 0
 codePage: value = 0
 countryCode: value = 0
 badPasswordTime: value = 129161569854641952
 lastLogoff: value = 0
 lastLogon: value = 129161570079951568
 pwdLastSet: value = 129156365187480989
 primaryGroupID: value = 513
 objectSid: value = ............qO.H.!N.........
 accountExpires: value = 9223372036854775807
 logonCount: value = 0
 sAMAccountName: value = TestInterno
 sAMAccountType: value = 805306368
 userPrincipalName: value = TestInterno@xxxxx.xxx
 objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxx,DC=xxx
 Fiber exit Tx=542 bytes Rx=2258 bytes, status=1
 Session End
I see that the LDAP server return all the attributes I should need, but I don't know how to configure it properly!
As you see authentication is successfull (for all the users) but what's the way to authenticate just users who are member of http_authorized_users?
I found this blog entry that may help things -
See if there is any info that may help.
Thanks for the reply, unfortunatelly in the website you mentioned there is nothing on LDAP Group but just on LDAP authentication via ASA...
Sergio, try this link -
It explains how to set up a mapping to a specific LDAP attribute, and deals with users in different groups.
See if that document helps.
Yes, I've used this procedure to bind the LDAP group to a specific group policy for the SSL VPN and, as I've understood, this works only for VPN...
How can I bind a Group Policy to my authentication rule? I think is not possibile, but there are surely other way to do what I need, not?
What about RADIUS? You can set up Radius on a MS Windows server.
Did you ever get a solution to this issue. We are running into a similar situation. We only allow users of a very specific group to come into VPN.Our method so far is as follows. If someone has run across a better method.. Please let me know.. this feels a little.. awkward.
Our ipsec policy defaults users to a group policy that does not allow IPSEC, or any tunnel protocols, but during the ipsec auth process we catch the auth with an ldap attribute map. This map changes the group policy of the giving user to a policy that allows ipsec.
In essence users will be denied access unless the ldap attribute matches. This method does work for us, but there has to be a better, cleaner way.
I also use an ldap attribute map. In my case, the ldap attribute map matches to a group policy, and that group policy maps to an assigned address pool. So, if you were a defined user in an undefuned group, you would not receive an IP address from the concentrator. This lets me use a single attribute map for a large number of different groups. Quick example:
aaa-server user-LDAP (outside) host x.x.x.x
ldap attribute-map User2LDAP
map-name ********** IETF-Radius-Class
map-value ********** "cn=XXXXXXXXXX" ABC_User
map-value ********** "cn=XXXXXXXXXX" DEF_User
group-policy ABC_User internal
group-policy ABC_User attributes
address-pools value ABC-User-Pool
group-policy DEF_User internal
group-policy DEF_User attributes
address-pools value DEF-User-Pool
Any updates regarding this issue ? i have read several documents about the LDAP Attributes. Most of them map the AD/LDAP attribute memberOf to the ASA attribute CVPN3000-Radius-IETF-Class. However this attribute cannot be found to 8.3, neither the IETF-Radius-Class.
Although IETF-Radius-Class cannot be found in ASDM, you can use it through CLI
ciscoasa(config)# ldap attribute-map grp_SSL
ciscoasa(config-ldap-attribute-map)# map-name memberOf ?
ldap mode commands/options:
aaa-server LDAP (inside) host domaincontroller.yourplace.com
ldap attribute-map SSLLoginName
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPNGROUPNAME,,OU=level2,OU=Level1,DC=yourplace,DC=com accesspolicyname