Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

LDAP Authentcation on Cisco ASA 8.2(1)

Dear Security Experts,

i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.

I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected

The name of user account is testvendor that belongs to the group of Test-vendor.

Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .

The configuration and debug output is shown below.

SHOW RUN

ldap attribute-map ABC-VENDOR

  map-name  memberOf Group-Policy

  map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

aaa-server ldapvend protocol ldap

aaa-server ldapvend (INSIDE) host 10.1.141.7

ldap-base-dn DC=abc,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local

server-type microsoft

ldap attribute-map ABC-VENDOR

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

group-policy Allow-Vendor internal

group-policy Allow-Vendor attributes

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec

dns-server value 10.1.141.7

default-domain value abc.org

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_acl

tunnel-group ABC-AD-VENDOR type remote-access

tunnel-group ABC-AD-VENDOR general-attributes

address-pool vendor_pool

authentication-server-group ldapvend

default-group-policy NOACCESS

tunnel-group ABC-AD-VENDOR ipsec-attributes

pre-shared-key *

Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting

map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor

DEBUG LDAP 255

[454095] Session Start

[454095] New request Session, context 0xb1f296b0, reqType = Authentication

[454095] Fiber started

[454095] Creating LDAP context with uri=ldap://10.1.141.7:389

[454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful

[454095] supportedLDAPVersion: value = 3

[454095] supportedLDAPVersion: value = 2

[454095] Binding as ldapvpn

[454095] Performing Simple authentication for ldapvpn to 10.1.141.7

[454095] LDAP Search:

        Base DN = [DC=abc,DC=local]

        Filter  = [sAMAccountName=testvendor]

        Scope   = [SUBTREE]

[454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]

[454095] Talking to Active Directory server 10.1.141.7

[454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local

[454095] Read bad password count 0

[454095] Binding as testvendor

[454095] Performing Simple authentication for testvendor to 10.1.141.7

[454095] Processing LDAP response for user testvendor

[454095] Message (testvendor):

[454095] Checking password policy

[454095] Authentication successful for testvendor to 10.1.141.7

[454095] Retrieved User Attributes:

[454095]        objectClass: value = top

[454095]        objectClass: value = person

[454095]        objectClass: value = organizationalPerson

[454095]        objectClass: value = user

[454095]        cn: value = testvendor

[454095]        givenName: value = testvendor

[454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local

[454095]        instanceType: value = 4

[454095]        whenCreated: value = 20111019133739.0Z

[454095]        whenChanged: value = 20111030135415.0Z

[454095]        displayName: value = testvendor

[454095]        uSNCreated: value = 20258545

[454095]        uSNChanged: value = 20899179

[454095]        name: value = testvendor

[454095]        objectGUID: value = ).u>.v.H.6>..u.Z

[454095]        userAccountControl: value = 66048

[454095]        badPwdCount: value = 0

[454095]        codePage: value = 0

[454095]        countryCode: value = 0

[454095]        badPasswordTime: value = 129644550477428806

[454095]        lastLogoff: value = 0

[454095]        lastLogon: value = 129644551251183846

[454095]        pwdLastSet: value = 129635050595360564

[454095]        primaryGroupID: value = 513

[454095]        userParameters: value = m:                    d.                       

[454095]        objectSid: value = ...............n."J.h.0.....

[454095]        accountExpires: value = 9223372036854775807

[454095]        logonCount: value = 0

[454095]        sAMAccountName: value = testvendor

[454095]        sAMAccountType: value = 805306368

[454095]        userPrincipalName: value = testvendor@abc.local

[454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local

[454095]        msNPAllowDialin: value = TRUE

[454095]        dSCorePropagationData: value = 20111026081253.0Z

[454095]        dSCorePropagationData: value = 20111026080938.0Z

[454095]        dSCorePropagationData: value = 16010101000417.0Z

[454095]        lastLogonTimestamp: value = 129638228546025674

[454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1

[454095] Session End

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

LDAP Authentcation on Cisco ASA 8.2(1)

I am not an AD expert unfortunately, but I found this that might help:

http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/

5 REPLIES
Cisco Employee

LDAP Authentcation on Cisco ASA 8.2(1)

Base on the debug output, the AD does not seem to provide the "memberOf" attribute that you can match on the ASA.

You are currently matching on "memberOf" attribute from your AD on the ASA configuration, however, the "memberOf" value was not passed on by the AD server towards the ASA, hence the LDAP mapping does not take place.

New Member

LDAP Authentcation on Cisco ASA 8.2(1)

Thankyou Jennifer for the responds.

Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.

i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.

[454095] sAMAccountName: value = testvendor

[454095] sAMAccountType: value = 805306368

[454095] userPrincipalName: value = testvendor@abc.local

[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local

[454095] msNPAllowDialin: value = TRUE

[454095] dSCorePropagationData: value = 20111026081253.0Z

[454095] dSCorePropagationData: value = 20111026080938.0Z

[454095] dSCorePropagationData: value = 16010101000417.0Z

Is their any other settings that i need to do it on AD ?

Kindly advice

Regards

Shiji

Cisco Employee

LDAP Authentcation on Cisco ASA 8.2(1)

I am not an AD expert unfortunately, but I found this that might help:

http://forkbomb.dadacafe.org/blog/Active_Directory_lacks_memberOf_attribute_for_unknown_reason_.._/

New Member

LDAP Authentcation on Cisco ASA 8.2(1)

Hi Halim,

Thanks a lot for providing me the above url.That really helps me and after some activites on AD by our system admin team , the "memberOf" value is getting pushed to ASA.

The ASA configuration from my side was OK.

Thanks again for sharing your ideas.

Best Regards

Shiji

Cisco Employee

LDAP Authentcation on Cisco ASA 8.2(1)

Great to hear it's working now... Thanks for the update and ratings.

1365
Views
0
Helpful
5
Replies
CreatePlease to create content