Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA LDAP authentication with openldap and groups

I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server.  My OpenLDAP version:

@(#) $OpenLDAP: slapd 2.4.9 (Sep  9 2009 11:22:34) $

I have an LDAP group that I want to use to restrict access for the VPN connections.

ldap-server:~> ldapsearch -x cn=vpn member
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=vpn
# requesting: member
#

# vpn, Group, example.com
dn: cn=vpn,ou=Group,dc=example,dc=com
member: uid=vpnuser,ou=people,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Authenticate with a user's LDAP username and password is working fine.

I've hit Google pretty hard but can't seem to find a simple answer.  It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.

Any help is much appreciated.  Thanks!

  • VPN
6 REPLIES

Re: Cisco ASA LDAP authentication with openldap and groups

Here is a good example for you.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

"debug ldap 255" is very helpful to troubleshoot it.

New Member

Re: Cisco ASA LDAP authentication with openldap and groups

This page is inaccessible to me.

Re: Cisco ASA LDAP authentication with openldap and groups

PDF attached

New Member

Cisco ASA LDAP authentication with openldap and groups

The solution proposed by Carl Davis worked for me pretty well! I had LDAP authentication working, but I wanted to allow only users in the "vpn" group to login. I set up two LDAP entries, one for authentication and a second one for authorization.

Thanks!

New Member

Re: Cisco ASA LDAP authentication with openldap and groups

Greetings, not to bring up a post from the WAAAYY back, but this post kept cropping up when I was trying to do the same thing.  I seem to have been able to get it to work.  I wanted to respond to this in case others find the post and it can help them.  This is for ASA version 8.2(2)12

Essentially, what I did was add a secondary Authorization group that only authorizes the user.  I believe these are the relevant sections:

[This authenticates the user against the Mac OS LDAP server]

aaa-server xServe protocol ldap

aaa-server xServe (inside) host IRxServeIntel

ldap-base-dn cn=users,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute uid

server-type openldap

[This authorizes the user against a group, in my case VPN]

aaa-server xServeGroup protocol ldap

aaa-server xServeGroup (inside) host IRxServeIntel

ldap-base-dn cn=vpn,cn=groups,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute memberUid

server-type openldap

Further down for the tunnel group I have this:
tunnel-group SSL-VPN general-attributes
address-pool SSL-VPN
authentication-server-group xServe
authorization-server-group xServeGroup
default-group-policy SSL-VPN
authorization-required
username-from-certificate use-entire-name
I hope that makes sense to what I did and if it does that it helps others that might be in the same situation.

New Member

Re: Cisco ASA LDAP authentication with openldap and groups

I'll have to check this out at some point.  I ended up using a RADIUS server.

aaa-server FreeRadius protocol radius
aaa-server FreeRadius (inside) host 192.168.1.20
key *****
authentication-port 1812

tunnel-group VPN general-attributes
address-pool VPN_POOL
authentication-server-group FreeRadius
default-group-policy VPN
authorization-required

Radius configuration:

modules/ldap

server = "ldap.your.domain"
...

basedn = "dc=example,dc=com"

...
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}(cn=vpn)))"
groupmembership_attribute = radiusGroupName

sites-available/default

#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap

...

# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

Auth-Type LDAP {
        ldap
}

8828
Views
5
Helpful
6
Replies
This widget could not be displayed.