10-30-2011 02:43 PM
Dear Security Experts,
i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
The name of user account is testvendor that belongs to the group of Test-vendor.
Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
The configuration and debug output is shown below.
SHOW RUN
ldap attribute-map ABC-VENDOR
map-name memberOf Group-Policy
map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
aaa-server ldapvend protocol ldap
aaa-server ldapvend (INSIDE) host 10.1.141.7
ldap-base-dn DC=abc,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
server-type microsoft
ldap attribute-map ABC-VENDOR
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Allow-Vendor internal
group-policy Allow-Vendor attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
dns-server value 10.1.141.7
default-domain value abc.org
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_acl
tunnel-group ABC-AD-VENDOR type remote-access
tunnel-group ABC-AD-VENDOR general-attributes
address-pool vendor_pool
authentication-server-group ldapvend
default-group-policy NOACCESS
tunnel-group ABC-AD-VENDOR ipsec-attributes
pre-shared-key *
Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
DEBUG LDAP 255
[454095] Session Start
[454095] New request Session, context 0xb1f296b0, reqType = Authentication
[454095] Fiber started
[454095] Creating LDAP context with uri=ldap://10.1.141.7:389
[454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
[454095] supportedLDAPVersion: value = 3
[454095] supportedLDAPVersion: value = 2
[454095] Binding as ldapvpn
[454095] Performing Simple authentication for ldapvpn to 10.1.141.7
[454095] LDAP Search:
Base DN = [DC=abc,DC=local]
Filter = [sAMAccountName=testvendor]
Scope = [SUBTREE]
[454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
[454095] Talking to Active Directory server 10.1.141.7
[454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095] Read bad password count 0
[454095] Binding as testvendor
[454095] Performing Simple authentication for testvendor to 10.1.141.7
[454095] Processing LDAP response for user testvendor
[454095] Message (testvendor):
[454095] Checking password policy
[454095] Authentication successful for testvendor to 10.1.141.7
[454095] Retrieved User Attributes:
[454095] objectClass: value = top
[454095] objectClass: value = person
[454095] objectClass: value = organizationalPerson
[454095] objectClass: value = user
[454095] cn: value = testvendor
[454095] givenName: value = testvendor
[454095] distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095] instanceType: value = 4
[454095] whenCreated: value = 20111019133739.0Z
[454095] whenChanged: value = 20111030135415.0Z
[454095] displayName: value = testvendor
[454095] uSNCreated: value = 20258545
[454095] uSNChanged: value = 20899179
[454095] name: value = testvendor
[454095] objectGUID: value = ).u>.v.H.6>..u.Z
[454095] userAccountControl: value = 66048
[454095] badPwdCount: value = 0
[454095] codePage: value = 0
[454095] countryCode: value = 0
[454095] badPasswordTime: value = 129644550477428806
[454095] lastLogoff: value = 0
[454095] lastLogon: value = 129644551251183846
[454095] pwdLastSet: value = 129635050595360564
[454095] primaryGroupID: value = 513
[454095] userParameters: value = m: d.
[454095] objectSid: value = ...............n."J.h.0.....
[454095] accountExpires: value = 9223372036854775807
[454095] logonCount: value = 0
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = testvendor@abc.local
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
[454095] lastLogonTimestamp: value = 129638228546025674
[454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
[454095] Session End
Solved! Go to Solution.
11-02-2011 01:21 AM
I am not an AD expert unfortunately, but I found this that might help:
http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/
10-30-2011 09:23 PM
Base on the debug output, the AD does not seem to provide the "memberOf" attribute that you can match on the ASA.
You are currently matching on "memberOf" attribute from your AD on the ASA configuration, however, the "memberOf" value was not passed on by the AD server towards the ASA, hence the LDAP mapping does not take place.
10-30-2011 10:24 PM
Thankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = testvendor@abc.local
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji
11-02-2011 01:21 AM
I am not an AD expert unfortunately, but I found this that might help:
http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/
11-02-2011 12:48 PM
Hi Halim,
Thanks a lot for providing me the above url.That really helps me and after some activites on AD by our system admin team , the "memberOf" value is getting pushed to ASA.
The ASA configuration from my side was OK.
Thanks again for sharing your ideas.
Best Regards
Shiji
11-03-2011 06:30 AM
Great to hear it's working now... Thanks for the update and ratings.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: