Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure LDAP authentication for VPN clients on ASA

Core issue

The security appliance supports Lightweight Directory Access Protocol (LDAP) Version 3. In the current release, it is compatible only with the Sun Microsystems JAVA System Directory Server (which is formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. In later releases, the security appliance supports other OpenLDAP servers.

By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP directory server. But, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft or Sun server, you can manually configure the server type.

Resolution

Complete these steps in order to configure authentication for VPN clients with LDAP directory server:

  1. Configure ASA for LDAP authentication. This example sets the LDAP directory server (ldap_dir_1) to the Sun Microsystems type:

    hostname(config)#aaa-server ldap_dir_1 protocol ldap
    hostname(config-aaa-server-group)#aaa-server ldap_dir_1 host 10.1.1.4
    hostname(config-aaa-server-host)#
    server-type sun
       
  2. Set up authorization for VPN access. When the LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server, which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, the use of LDAP accomplishes authentication and authorization in a single step.

    There can be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate server for authentication, no authorization information is passed back. For user authorizations in this case, you can query an LDAP directory after successful authentication, and accomplish authentication and authorization in two steps.

    In order to set up VPN user authorization with LDAP, you must first create a AAA server group and a tunnel group. You then associate the server and tunnel groups with the tunnel-group general-attributes command. While there are other authorization-related commands and options available for specific requirements, this example shows fundamental commands to enable user authorization with LDAP. This example then creates an IPsec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization.

    hostname(config)#tunnel-group remote-1 type ipsec-ra
    hostname(config)#
    tunnel-group remote-1 general-attributes
    hostname(config-general)#
    authorization-server-group ldap_dir_1
       
  3. After you complete this fundamental configuration work, you can configure additional LDAP authorization parameters such as a directory password, a starting point for searching a directory, and the scope of a directory search:

    hostname(config)#
    aaa-server ldap_dir_1 protocol ldap
    hostname(config-aaa-server-group)#aaa-server ldap_dir_1 host x.x.x.x
    hostname(config-aaa-server-host)#
    ldap-login-dn obscurepassword
    hostname(config-aaa-server-host)#
    ldap-base-dn starthere
    hostname(config-aaa-server-host)#
    ldap-scope subtree
       

Refer to the Configuring the Group Policy for LDAP Authorization section of Configuring an LDAP AAA Server for more information about the configuration with ASDM.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:45 PM
Updated by:
 
Labels (1)