Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP_Authentication_for_VPN_Users.docx

LDAP authentication for VPN users and restrict  one particular group of users to access VPN

Case 1

Using LDAP to authenticate VPN users connecting to an ASA through AD.

The following are the commands required for LDAP authentication.

[a] Create a server-group

hostname(config)# aaa-server LDAP protocol ldap

hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.10.1.5

hostname(config-aaa-server-group)# ldap-base-dn cn=Users,dc=abc,dc=com

hostname(config-aaa-server-group)# ldap-scope subtree

hostname(config-aaa-server-group)# ldap-login-password *

hostname(config-aaa-server-group)# ldap-login-dn CN=Administrator ,DC=abc ,DC=com

hostname(config-aaa-server-group)# server-type microsoft

[b]Set the authentication server equal to server-group under the tunnel-group

tunnel-group LDAPVPN type remote-access

tunnel-group LDAPVPN general-attributes

address-pool <pool name>

authentication-server-group LDAP

default-group-policy <name of policy>

tunnel-group LDAPVPN ipsec-attributes

pre-shared-key *

Case 2

Using LDAP to authenticate VPN users connecting to an ASA through AD but users in a particular group in AD should only be able to VPN into the ASA and no other user in AD should be able to connect through VPN.

The following are the required commands:-

[a] Configure the server-group same as above:-

hostname(config)# aaa-server LDAP protocol ldap

hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.10.1.5

hostname(config-aaa-server-group)# ldap-base-dn cn=Users,dc=stops,dc=net

hostname(config-aaa-server-group)# ldap-scope subtree

hostname(config-aaa-server-group)# ldap-login-password *

hostname(config-aaa-server-group)# ldap-login-dn CN=Administrator,DC=stops,DC=net

hostname(config-aaa-server-group)# server-type Microsoft

hostname(config-aaa-server-group)# ldap-attribute-map LDAP-VPN

[b] Create  ldap-attribute map.

ldap attribute-map LDAP-VPN

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN Users,CN=Users,DC=abc,DC=com" policy1

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin "FALSE" novpnaccess

[c] Create the group-policy

group-policy novpnaccess internal

group-policy novpnaccess attributes

  vpn-simultaneous-logins 0

[d] Create tunnel group

tunnel-group LDAPVPN type remote-access

tunnel-group LDAPVPN general-attributes

address-pool policy1

authentication-server-group LDAP

default-group-policy policy1

tunnel-group LDAPVPN ipsec-attributes

pre-shared-key *

The configuration  above  is to allow users in “VPN Users” group in AD to connect through VPN but in order to deny VPN access to any other user in AD we need to make sure that “deny access” option is checked under the “Dial in” tab for the user in AD. By doing this, AD will return msNPAllowDialin value as False which will be matched on ASA under ldap attribute. If the returned value from AD   and the configured value on ASA  matches then  it will be  mapped  to the “novpnaccess”  group policy on ASA which says vpn-simultaneous-logins 0 and that particular user will not be having vpn access. However all other users in ‘VPN Users’ group will be able to connect via vpn and will be mapped to policy1.

By default the customers  have “control access through remote-access policy” configured for all the users in AD under the “Dial in” tab. And when this option is checked “msNPAllowDialin” attribute is not returned by AD and therefore we cannot use this attribute to map to the “novpnaccess” group policy on ASA. As a result the customers are forced to check the “deny access” option in Active Directory to deny him/her VPN access.

Commands to troubleshoot ldap authentication:-

[1]debug ldap 255

The following is the command reference link:-

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/d1.html#wp1992312

[2]debug aaa common

The following is the command reference link:-

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/d1.html#wp1985638

The following are some useful links:-

1) Configuring an LDAP AAA Server on ASA using ASDM:-

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdmldap.html#wp1032929

2)How to configure external authentication server with windows AD screenshots:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/extsvr.htm#wp1577162

3)How to configure authentication for your remote access VPN tunnel group using CLI:-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/vpngrp.htm#wp1109129

4) Mapping VPN Clients to VPN Group Policies Through LDAP

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

5) Use LDAP Authentication to Assign a Group Policy at Login

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Cheers,

Shilpa



























































Version history
Revision #:
1 of 1
Last update:
‎10-04-2010 02:34 AM
Updated by:
 
Labels (1)