Home > Default > LDAP Authentcation on Cisco ASA 8.2(1)

LDAP Authentcation on Cisco ASA 8.2(1)

October 11Hits:0
Advertisement
Dear Security Experts,
i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
The name of user account is testvendor that belongs to the group of Test-vendor.
Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
The configuration and debug output is shown below.
SHOW RUN
ldap attribute-map ABC-VENDOR
  map-name  memberOf Group-Policy
  map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
aaa-server ldapvend protocol ldap
aaa-server ldapvend (INSIDE) host 10.1.141.7
ldap-base-dn DC=abc,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
server-type microsoft
ldap attribute-map ABC-VENDOR
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Allow-Vendor internal
group-policy Allow-Vendor attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
dns-server value 10.1.141.7
default-domain value abc.org
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_acl
tunnel-group ABC-AD-VENDOR type remote-access
tunnel-group ABC-AD-VENDOR general-attributes
address-pool vendor_pool
authentication-server-group ldapvend
default-group-policy NOACCESS
tunnel-group ABC-AD-VENDOR ipsec-attributes
pre-shared-key *
Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
DEBUG LDAP 255
[454095] Session Start
[454095] New request Session, context 0xb1f296b0, reqType = Authentication
[454095] Fiber started
[454095] Creating LDAP context with uri=ldap://10.1.141.7:389
[454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
[454095] supportedLDAPVersion: value = 3
[454095] supportedLDAPVersion: value = 2
[454095] Binding as ldapvpn
[454095] Performing Simple authentication for ldapvpn to 10.1.141.7
[454095] LDAP Search:
        Base DN = [DC=abc,DC=local]
        Filter  = [sAMAccountName=testvendor]
        Scope   = [SUBTREE]
[454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
[454095] Talking to Active Directory server 10.1.141.7
[454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095] Read bad password count 0
[454095] Binding as testvendor
[454095] Performing Simple authentication for testvendor to 10.1.141.7
[454095] Processing LDAP response for user testvendor
[454095] Message (testvendor):
[454095] Checking password policy
[454095] Authentication successful for testvendor to 10.1.141.7
[454095] Retrieved User Attributes:
[454095]        objectClass: value = top
[454095]        objectClass: value = person
[454095]        objectClass: value = organizationalPerson
[454095]        objectClass: value = user
[454095]        cn: value = testvendor
[454095]        givenName: value = testvendor
[454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095]        instanceType: value = 4
[454095]        whenCreated: value = 20111019133739.0Z
[454095]        whenChanged: value = 20111030135415.0Z
[454095]        displayName: value = testvendor
[454095]        uSNCreated: value = 20258545
[454095]        uSNChanged: value = 20899179
[454095]        name: value = testvendor
[454095]        objectGUID: value = ).u>.v.H.6>..u.Z
[454095]        userAccountControl: value = 66048
[454095]        badPwdCount: value = 0
[454095]        codePage: value = 0
[454095]        countryCode: value = 0
[454095]        badPasswordTime: value = 129644550477428806
[454095]        lastLogoff: value = 0
[454095]        lastLogon: value = 129644551251183846
[454095]        pwdLastSet: value = 129635050595360564
[454095]        primaryGroupID: value = 513
[454095]        userParameters: value = m:                    d.                       
[454095]        objectSid: value = ...............n."J.h.0.....
[454095]        accountExpires: value = 9223372036854775807
[454095]        logonCount: value = 0
[454095]        sAMAccountName: value = testvendor
[454095]        sAMAccountType: value = 805306368
[454095]        userPrincipalName: value = [email protected]
[454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095]        msNPAllowDialin: value = TRUE
[454095]        dSCorePropagationData: value = 20111026081253.0Z
[454095]        dSCorePropagationData: value = 20111026080938.0Z
[454095]        dSCorePropagationData: value = 16010101000417.0Z
[454095]        lastLogonTimestamp: value = 129638228546025674
[454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
[454095] Session End

Answers

Thankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = [email protected]
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji

Read other 6 answers

Tags:

Related Articles

  • LDAP Authentcation on Cisco ASA 8.2(1)October 11

    Dear Security Experts, i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it sh

  • Command to View LDAP Password on Cisco ASA 5520November 30

    Hello I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption o

  • Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?November 30

    I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships. The problem I think I hav

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.October 11

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall. I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current

  • Cisco ASA 5505 and comodo SSL certificateOctober 11

    Hey All, I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificate

  • Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN AuthNovember 30

    Hello all, I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global

  • Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the NetworkOctober 11

    I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3) Device Manager Version 5.2(3) in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and us

  • Cisco ASA 5505 site to site Multiple subnet.October 11

    Hi. I need some help configuring my cisco asa 5505. I've set up a VPN tunnel between two ASA 5505 Site 1: Subnet 192.168.77.0 Site 2: Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0 What I need help with: From site 1 i need to be

  • Setting up site to site vpn with cisco asa 5505October 11

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office. IP of remote office router is 71.37.178.142 IP of the main office firewall is 209.117.141.82 Can

  • Cisco ASA 5505 Site to Site VPNOctober 11

    Hello All, First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have

Copyright (C) 2017 wisumpire.com, All Rights Reserved. webmaster#wisumpire.com 14 q. 0.112 s.