Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN on ASA - Authentication using LDAP Server

     

     

    Introduction

    This document provides an example on how to Configure Remote Access VPN on ASA and do the Authentication using LDAP server

    Prerequisites

    ASA and LDAP server both should be reachable.
     

    Components Used

    1. ASA 8.2

    2. LDAP (Microsoft)

    Configuration Remote Access VPN on ASA

    interface configuration:

    hostname(config)# interface ethernet0
    hostname(config-if)# ip address 10.10.4.200 255.255.0.0
    hostname(config-if)# nameif outside
    hostname(config)# no shutdown

    Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

    hostname(config)# isakmp policy 1 authentication pre-share
    hostname(config)# isakmp policy 1 encryption 3des
    hostname(config)# isakmp policy 1 hash sha 
    hostname(config)# isakmp policy 1 group 2
    hostname(config)# isakmp policy 1 lifetime 43200
    hostname(config)# isakmp enable outside

    Configuring an Address Pool

    hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

    Adding a User

    hostname(config)# username testuser password 12345678

    Creating a Transform Set

    hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

    Creating a Tunnel group

    hostname(config)# tunnel-group testgroup type ipsec-ra
    hostname(config)# tunnel-group testgroup general-attributes
    hostname(config-general)# address-pool testpool
    hostname(config)# tunnel-group testgroup ipsec-attributes
    hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

    Creating a Dynamic crypto map

    hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
    hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

    Creating a Crypto Map Entry to Use the Dynamic Crypto Map

    hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
    hostname(config)# crypto map mymap interface outside

    Configuring LDAP server on the ASA

    ciscoasa(config-aaa-server-group)#aaa-server LDAP (inside) host 192.168.1.2
    ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
    ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
    ciscoasa(config-aaa-server-host)#ldap-login-password **********
    ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
    ciscoasa(config-aaa-server-host)#ldap-scope subtree
    ciscoasa(config-aaa-server-host)#server-type microsoft
    ciscoasa(config-aaa-server-host)#exit

    Assigning LDAP server under tunnel group

    ciscoasa(config)#tunnel-group testgroup general-attributes
    ciscoasa(config-tunnel-general)#authentication-server-group LDAP

    Verifcation

    Test with CLI:

    You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

    ciscoasa#test aaa-server authentication LDAP host 192.168.1.2
       username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
       (timeout: 12 seconds)
    INFO: Authentication Successful

    Troubleshoot

    If unsure of the current DN string to use, you can issue the dsquery command on a Windows Active Driectory server from a command prompt in  order to verify the appropriate DN String of a user object.

    C:\Documents and Settings\Administrator>dsquery user -samid cisco!--- Queries Active Directory for samid id "cisco""CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"

    The debug ldap 255 command can help to troubleshoot authentication problems in this  scenario. This command enables LDAP debugging and allows you to watch  the process that the ASA uses to connect to the LDAP server.

    Debug - Successful authentication

    ciscoasa#debug ldap 255[7] Session Start
    [7] New request Session, context 0xd4b11730, reqType = 1
    [7] Fiber started
    [7] Creating LDAP context with uri=ldap://192.168.1.2:389
    [7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
    [7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
    [7] supportedLDAPVersion: value = 3
    [7] supportedLDAPVersion: value = 2
    [7] supportedSASLMechanisms: value = GSSAPI
    [7] supportedSASLMechanisms: value = GSS-SPNEGO
    [7] supportedSASLMechanisms: value = EXTERNAL
    [7] supportedSASLMechanisms: value = DIGEST-MD5
    
    !--- The ASA connects to the LDAP server for admin bind and search for cisco.
    [7] Binding as administrator
    [7] Performing Simple authentication for admin to 192.168.1.2
    [7] LDAP Search:
            Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
            Filter  = [sAMAccountName=cisco]
            Scope   = [SUBTREE]
    [7] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2
    [7] Reading password policy for cisco, dn:CN=cisco,CN=Users,
           DC=ftwsecurity,DC=cisco,DC=com
    
    !--- The ASA binds to the LDAP server as cisco to test the password.
    [7] Binding as user
    [7] Performing Simple authentication for kate to 192.168.1.2
    [7] Checking password policy for user cisco
    [7] Binding as administrator
    [7] Performing Simple authentication for admin to 192.168.1.2
    [7] Authentication successful for kate to 192.168.1.2
    [7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:
    [7]     objectClass: value = top
    [7]     objectClass: value = person
    [7]     objectClass: value = organizationalPerson
    [7]     objectClass: value = user
    [7]     cn: value = cisco
    [7]     givenName: value = cisco
    [7]     distinguishedName: value = CN=cisco,CN=Users,DC=ftwsecurity,
               DC=cisco,DC=com
    [7]     instanceType: value = 4
    [7]     whenCreated: value = 20070815155224.0Z
    [7]     whenChanged: value = 20070815195813.0Z
    [7]     displayName: value = cisco
    [7]     uSNCreated: value = 16430
    [7]     memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
    [7]     memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
    [7]     uSNChanged: value = 20500
    [7]     name: value = cisco
    [7]     objectGUID: value = ..z...yC.q0.....
    [7]     userAccountControl: value = 66048
    [7]     badPwdCount: value = 1
    [7]     codePage: value = 0
    [7]     countryCode: value = 0
    [7]     badPasswordTime: value = 128321799570937500
    [7]     lastLogoff: value = 0
    [7]     lastLogon: value = 128321798130468750
    [7]     pwdLastSet: value = 128316667442656250
    [7]     primaryGroupID: value = 513
    [7]     objectSid: value = ............Q..p..*.p?E.Z...
    [7]     accountExpires: value = 9223372036854775807
    [7]     logonCount: value = 0
    [7]     sAMAccountName: value = cisco
    [7]     sAMAccountType: value = 805306368
    [7]     userPrincipalName: value = cisco@ftwsecurity.cisco.com
    [7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,
               DC=ftwsecurity,DC=cisco,DC=com
    [7]     dSCorePropagationData&colon; value = 20070815195237.0Z
    [7]     dSCorePropagationData&colon; value = 20070815195237.0Z
    [7]     dSCorePropagationData&colon; value = 20070815195237.0Z
    [7]     dSCorePropagationData&colon; value = 16010108151056.0Z
    [7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1
    [7] Session End

    Debug - Authentication fails - Incorrect Password

    ciscoasa#debug ldap 255[8] Session Start
    [8] New request Session, context 0xd4b11730, reqType = 1
    [8] Fiber started
    [8] Creating LDAP context with uri=ldap://192.168.1.2:389
    [8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
    [8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
    [8] supportedLDAPVersion: value = 3
    [8] supportedLDAPVersion: value = 2
    [8] supportedSASLMechanisms: value = GSSAPI
    [8] supportedSASLMechanisms: value = GSS-SPNEGO
    [8] supportedSASLMechanisms: value = EXTERNAL
    [8] supportedSASLMechanisms: value = DIGEST-MD5
    
    !--- The ASA connects to the LDAP server as admin to search for cisco.
    [8] Binding as administrator
    [8] Performing Simple authentication for admin to 192.168.1.2
    [8] LDAP Search:
            Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
            Filter  = [sAMAccountName=kate]
            Scope   = [SUBTREE]
    [8] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2
    [8] Reading password policy for cisco, dn:CN=cisco,CN=Users,
           DC=ftwsecurity,DC=cisco,DC=com
    [8] Read bad password count 1
    
    !--- The ASA attempts to bind as cisco, but the password is incorrect.
    [8] Binding as user
    [8] Performing Simple authentication for kate to 192.168.1.2
    [8] Simple authentication for cisco returned code (49) Invalid credentials[8] Binding as administrator
    [8] Performing Simple authentication for admin to 192.168.1.2
    [8] Reading bad password count for cisco, dn: CN=cisco,CN=Users,
           DC=ftwsecurity,DC=cisco,DC=com
    [8] Received badPwdCount=1 for user cisco
    [8] badPwdCount=1 before, badPwdCount=1 after for cisco
    [8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT,
           delta=1122041, maxage=3710851 secs
    [8] Invalid password for cisco
    [8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=-1
    [8] Session End

    Debug - Authentication Fail - User not found on LDAP server

    ciscoasa#debug ldap 255[9] Session Start
    [9] New request Session, context 0xd4b11730, reqType = 1
    [9] Fiber started
    [9] Creating LDAP context with uri=ldap://192.168.1.2:389
    [9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
    [9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
    [9] supportedLDAPVersion: value = 3
    [9] supportedLDAPVersion: value = 2
    [9] supportedSASLMechanisms: value = GSSAPI
    [9] supportedSASLMechanisms: value = GSS-SPNEGO
    [9] supportedSASLMechanisms: value = EXTERNAL
    [9] supportedSASLMechanisms: value = DIGEST-MD5
    
    !--- The user Minakshi is not found.
    [9] Binding as administrator
    [9] Performing Simple authentication for admin to 192.168.1.2
    [9] LDAP Search:
            Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
            Filter  = [sAMAccountName=minakshi]
            Scope   = [SUBTREE]
    [9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=-1
    [9] Session End

    Please post comments if there are any queries and rate if useful.

     

    Scenario 2:

    Problem:

    Is it possible to strip the suffix from a username to authenticate against an active directory in ACS 5.4? I can find this when using an external proxy service, but not for network access.

    Solution:

    Username suffix/prefix stripping is possible when using:
    LDAP
    Radius Identity server
    External Proxy
    With AD, the option is unavailable.
    Self proxy + AD is a workaround but that has some limitations and is a complex configuration.

     

    Source Discussion:

    CSC Discussion:

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 03:09 AM
    Updated by:
     
    Labels (1)
    Contributors
    Comments
    New Member

    very good document, thank you

    New Member

    thank you

    To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

    Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan

     

    ITD Provides CAPEX and OPEX Savings for Customers

    ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

    ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

     

    New Member

    Excellent article. Very useful.