Solved: LDAP Authentcation on Cisco ASA 8.2(1)

s.aliyarukunju · ‎10-30-2011

Dear Security Experts,

i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.

I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected

The name of user account is testvendor that belongs to the group of Test-vendor.

Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .

The configuration and debug output is shown below.

SHOW RUN

ldap attribute-map ABC-VENDOR

map-name memberOf Group-Policy

map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

aaa-server ldapvend protocol ldap

aaa-server ldapvend (INSIDE) host 10.1.141.7

ldap-base-dn DC=abc,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local

server-type microsoft

ldap attribute-map ABC-VENDOR

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

group-policy Allow-Vendor internal

group-policy Allow-Vendor attributes

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec

dns-server value 10.1.141.7

default-domain value abc.org

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_acl

tunnel-group ABC-AD-VENDOR type remote-access

tunnel-group ABC-AD-VENDOR general-attributes

address-pool vendor_pool

authentication-server-group ldapvend

default-group-policy NOACCESS

tunnel-group ABC-AD-VENDOR ipsec-attributes

pre-shared-key *

Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting

map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

DEBUG LDAP 255

[454095] Session Start

[454095] New request Session, context 0xb1f296b0, reqType = Authentication

[454095] Fiber started

[454095] Creating LDAP context with uri=ldap://10.1.141.7:389

[454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful

[454095] supportedLDAPVersion: value = 3

[454095] supportedLDAPVersion: value = 2

[454095] Binding as ldapvpn

[454095] Performing Simple authentication for ldapvpn to 10.1.141.7

[454095] LDAP Search:

Base DN = [DC=abc,DC=local]

Filter = [sAMAccountName=testvendor]

Scope = [SUBTREE]

[454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]

[454095] Talking to Active Directory server 10.1.141.7

[454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local

[454095] Read bad password count 0

[454095] Binding as testvendor

[454095] Performing Simple authentication for testvendor to 10.1.141.7

[454095] Processing LDAP response for user testvendor

[454095] Message (testvendor):

[454095] Checking password policy

[454095] Authentication successful for testvendor to 10.1.141.7

[454095] Retrieved User Attributes:

[454095] objectClass: value = top

[454095] objectClass: value = person

[454095] objectClass: value = organizationalPerson

[454095] objectClass: value = user

[454095] cn: value = testvendor

[454095] givenName: value = testvendor

[454095] distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local

[454095] instanceType: value = 4

[454095] whenCreated: value = 20111019133739.0Z

[454095] whenChanged: value = 20111030135415.0Z

[454095] displayName: value = testvendor

[454095] uSNCreated: value = 20258545

[454095] uSNChanged: value = 20899179

[454095] name: value = testvendor

[454095] objectGUID: value = ).u>.v.H.6>..u.Z

[454095] userAccountControl: value = 66048

[454095] badPwdCount: value = 0

[454095] codePage: value = 0

[454095] countryCode: value = 0

[454095] badPasswordTime: value = 129644550477428806

[454095] lastLogoff: value = 0

[454095] lastLogon: value = 129644551251183846

[454095] pwdLastSet: value = 129635050595360564

[454095] primaryGroupID: value = 513

[454095] userParameters: value = m: d.

[454095] objectSid: value = ...............n."J.h.0.....

[454095] accountExpires: value = 9223372036854775807

[454095] logonCount: value = 0

[454095] sAMAccountName: value = testvendor

[454095] sAMAccountType: value = 805306368

[454095] userPrincipalName: value = testvendor@abc.local

[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local

[454095] msNPAllowDialin: value = TRUE

[454095] dSCorePropagationData: value = 20111026081253.0Z

[454095] dSCorePropagationData: value = 20111026080938.0Z

[454095] dSCorePropagationData: value = 16010101000417.0Z

[454095] lastLogonTimestamp: value = 129638228546025674

[454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1

[454095] Session End

Jennifer Halim · ‎11-02-2011

I am not an AD expert unfortunately, but I found this that might help:

http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/

View solution in original post

Jennifer Halim · ‎10-30-2011

Base on the debug output, the AD does not seem to provide the "memberOf" attribute that you can match on the ASA.

You are currently matching on "memberOf" attribute from your AD on the ASA configuration, however, the "memberOf" value was not passed on by the AD server towards the ASA, hence the LDAP mapping does not take place.

s.aliyarukunju · ‎10-30-2011

Thankyou Jennifer for the responds.

Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.

i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.

[454095] sAMAccountName: value = testvendor

[454095] sAMAccountType: value = 805306368

[454095] userPrincipalName: value = testvendor@abc.local

[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local

[454095] msNPAllowDialin: value = TRUE

[454095] dSCorePropagationData: value = 20111026081253.0Z

[454095] dSCorePropagationData: value = 20111026080938.0Z

[454095] dSCorePropagationData: value = 16010101000417.0Z

Is their any other settings that i need to do it on AD ?

Kindly advice

Regards

Shiji

Jennifer Halim · ‎11-02-2011

I am not an AD expert unfortunately, but I found this that might help:

http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/

s.aliyarukunju · ‎11-02-2011

Hi Halim,

Thanks a lot for providing me the above url.That really helps me and after some activites on AD by our system admin team , the "memberOf" value is getting pushed to ASA.

The ASA configuration from my side was OK.

Thanks again for sharing your ideas.

Best Regards

Shiji

Jennifer Halim · ‎11-03-2011

Great to hear it's working now... Thanks for the update and ratings.