topic Re: ASA+AD+Authorization in VPN

ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 09:50:52 GMT

Has anyone managed to get the ASA (8.2) working with LDAP/ AD to perform authorization/ group mapping's based on AD group membership?

I found numerous postings on these forums, but not anyone who has managed to get it working.

We have several groups where we are using the drop down selector and would like to leverage AD groups for access. If the user is a member of the group, then they can sign in. If not, they get denied access. It sounds pretty straight forward, but it doesn't seem to work like it is supposed to. Our user community pretty much will only use AnyConnect.

Thanks in advance.

Re: ASA+AD+Authorization

Jennifer Halim — Tue, 22 Jun 2010 10:07:49 GMT

Have you checked the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

I have seen it working based on the above sample configurations.

Hope that helps.

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 10:18:06 GMT

The first article is the one that I have been following and does not work. It has been noted many, many times in these forums.

The second article covers dial-in access allow or permit which is not quite what we need.

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 10:26:28 GMT

Actually.... it turns out we may have found a potential fix here... https://supportforums.cisco.com/message/850498#850498

The documentation refers to Radius-Class, which doesn't seem to accomplish anything.

It looks like Tunnel-Group-Lock is the key. However, it's denying everything right now, which I guess it better than what it was doing before.

Re: ASA+AD+Authorization

Jennifer Halim — Tue, 22 Jun 2010 10:38:21 GMT

The map name would be "map-name memberOf IETF-Radius-Class".

Please run "debug ldap 255" and try to authenticate with the user, and it will show you the full path of the CN memberOf for that user, and on the actual LDAP mapping, you would need to include that.

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 11:38:48 GMT

I have that, just like the doc says and it still does not work correctly. The issue is that it sees the group mapping, verifies it and then lets the user in with another group. It seems the authorization is busted and doesn't really do anything.

Just like here:

https://supportforums.cisco.com/message/1010142#1010142

Kind of here: https://supportforums.cisco.com/message/3021960#3021960

It looks like they never got it working here: https://supportforums.cisco.com/message/3059302#3059302

Does anyone have any idea what the Tunnel lock stuff does?

Re: ASA+AD+Authorization

Jennifer Halim — Tue, 22 Jun 2010 11:45:33 GMT

Don't worry about tunnel group lock, it is not what you are after.

Can you please share your configuration, and also advise which group-policy is the user supposed to be connected in, and which group-policy does the user actually get connected to ("show vpn-sessiondb svc filter name " output will show which group-policy the user is actually dropped in after the ldap attribute mapping). Thanks.

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 12:15:41 GMT

ldap attribute-map ad-members

map-name memberOf IETF-Radius-Class

map-value memberOf "CN=NS-ILO-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com" eng-test

Here is the debug for the groups:

[258] memberOf: value = CN=NS-OU-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=

[258] mapped to IETF-Radius-Class: value = CN=NS-OU-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] mapped to LDAP-Class: value = CN=NS-OU-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] memberOf: value = CN=ACS-Server-Admins,OU=ACS,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,D

[258] mapped to IETF-Radius-Class: value = CN=ACS-Server-Admins,OU=ACS,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] mapped to LDAP-Class: value = CN=ACS-Server-Admins,OU=ACS,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] memberOf: value = CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] mapped to IETF-Radius-Class: value = CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com

[258] mapped to LDAP-Class: value = CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com

Session Type: IPsec

Username : USERNAME Index : 16

ATestinggned IP : 10.180.128.11 Public IP : X.X.X.X

Protocol : IKE IPsec

License : IPsec

Encryption : AES128 Hashing : SHA1

Bytes Tx : 1970 Bytes Rx : 1698

Group Policy : CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com

Tunnel Group : eng-test

Duration : 0h:02m:09s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : Static VLAN : 3036

As you can see, it's just picking whatever group it feels like and not the correct one.

Re: ASA+AD+Authorization

Jennifer Halim — Tue, 22 Jun 2010 12:23:22 GMT

The map-value that you have configured is for the following:

map-value memberOf "CN=NS-ILO-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com" eng-test

However, base on the debug, the user is not a member of the above configured map value.

If you change the map-value to the following for example:

map-value memberOf "CN=NS-OU-Admins,OU=Groups,OU=Network Services,OU=X,OU=Depts,DC=X,DC=company,DC=com" eng-test

Then, that particular user will be put into the correct group-policy (name: eng-test), assuming you have configured group-policy with "eng-test" as its name.

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 12:43:59 GMT

That is correct. Even though the user is not a member of that group, they are ending up in that group-policy.

Re: ASA+AD+Authorization

Jennifer Halim — Tue, 22 Jun 2010 12:50:52 GMT

Sorry, I don't think I understand it.

There are 2 different configuration policies:

1) tunnel-group

2) group-policy

"eng-test" configured I believe is the tunnel-group. Do you also have group-policy named "eng-test" as well? ie: having both tunnel-group and group-policy with the name "eng-test"?

From the "show vpn-sessiondb svc" output provided earlier, the user is connected to the following:

Group Policy : CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com
Tunnel Group : eng-test

So the group-policy assigned is "CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com" which is just a false group-policy as I don't think you have group-policy with name "CN=X-TS-Users,OU=Groups,OU=Testing,OU=X,OU=Depts,DC=X,DC=company,DC=com" configured.

The mapping is done on group-policy, not on tunnel-group. You can configure 1 tunnel-group where all the users are connected to, however, having different users being mapped to different group-policy (where all the specific policies are configured).

Please share the following output to understand what is actually configured:

show run tunnel-group

show run group-policy

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 14:18:07 GMT

tunnel-group eng-test type remote-access

tunnel-group eng-test general-attributes

address-pool eng-test

authentication-server-group Win-Domain

default-group-policy eng-test

tunnel-group eng-test webvpn-attributes

group-alias Engineering-testing enable

tunnel-group eng-test ipsec-attributes

pre-shared-key *****

tunnel-group wireless type remote-access

tunnel-group wireless general-attributes

address-pool wireless

authentication-server-group Win-Domain

default-group-policy wireless

tunnel-group wireless webvpn-attributes

group-alias Wireless enable

group-policy DfltGrpPolicy attributes

banner value Testing

vpn-idle-timeout 90

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Standard-Split

nem enable

group-policy eng-test internal

group-policy eng-test attributes

vpn-tunnel-protocol IPSec svc webvpn

vlan 3036

address-pools none

ipv6-address-pools none

webvpn

svc ask enable

group-policy wireless internal

group-policy wireless attributes

vpn-tunnel-protocol IPSec svc webvpn

vlan 3011

address-pools none

ipv6-address-pools none

webvpn

svc ask enable

Re: ASA+AD+Authorization

charlesdf22 — Tue, 22 Jun 2010 14:40:20 GMT

this is the same exact issue.

https://supportforums.cisco.com/thread/2010078

Basically, I will have up to 20 different groups that a user can select.

For example, engineering, sales, administration, management.

Some users will need to access different groups based upon their needs. Someone from engineering will need to select the drop down (or url) to access the management group so they can make switch changes.

My basic need is that the system has to check an LDAP group, determine memberOf and allow access. This sounds like basic authorization, is it not?

Re: ASA+AD+Authorization

Jennifer Halim — Wed, 23 Jun 2010 12:46:52 GMT

It is absolutely basic authorization, however, the ldap mapping has been configured incorrectly.

You would need to map the correct ldap path of that user to a group-policy as advised earlier.