topic LDAP Authentication Issues in Network Access Control

LDAP Authentication Issues

Alexander Deems — Mon, 11 Mar 2019 03:22:56 GMT

Hello,

I am able to get LDAP Authentication working for the VPN, but when I go to test a user that is not defined in the VPN group within AD, they are still able to authenticate and are granted access to the VPN. I am at a loss as to what the actual issue is because everything appears to be defined properly.

I have attached the ldap debug logs for a user that is working properly and a user that is not working properly. My understanding is that they should only be able to authenticate against this one group JOB_ADMINS_VPN and if they are not in this group then they should be denied VPN login rights.

ldap attribute-map JOB_ADMIN_MAP

map-name memberOf Group-Policy

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

aaa-server JOB_ADMINS protocol ldap

aaa-server JOB_ADMINS (Prod) host 10.5.1.11

ldap-base-dn DC=test,DC=net

ldap-group-base-dn OU=VPN,DC=test,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=saVPNLDAP,CN=Users,DC=test,DC=net

server-type microsoft

ldap-attribute-map JOB_ADMIN_MAP

I am sure I am missing something small, but I am not sure what I am missing. Any help with this issue will be grately apperciated.

Thank you!

LDAP Authentication Issues

Jatin Katyal — Wed, 01 May 2013 15:37:24 GMT

Please review the below listed config and see what you are missing else share "sh run" from the ASA.

Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

ldap attribute-map LDAP-MAP

map-name memberOf IETF-Radius-Class

map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

.....

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

group-policy noaccess attributes

vpn-simultaneous-logins 0

Jatin Katyal

- Do rate helpful posts -

LDAP Authentication Issues

Alexander Deems — Wed, 01 May 2013 16:34:53 GMT

Jatin,

I have setup the noaccess policy and made it the default policy under the tunnel-group but both users are still able to authenticate against the LDAP server. I have posted the relevate configurations that I have for the LDAP configuration.

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.5.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.7.12.0 255.255.254.0

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.64 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.0 255.255.255.224

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.10.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.40.4.0 255.255.255.240

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.11.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.14.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.2.0 255.255.254.0

ip local pool server-mgmt_Admins2 10.5.22.2-10.5.22.254 mask 255.255.255.0

ldap attribute-map JOB_ADMIN_MAP

map-name memberOf Group-Policy

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

dynamic-access-policy-record DfltAccessPolicy

aaa-server JOB_ADMINS protocol ldap

aaa-server JOB_ADMINS (Prod) host 10.5.1.11

ldap-base-dn DC=test,DC=net

ldap-group-base-dn OU=VPN,DC=test,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=saVPNLDAP,CN=Users,DC=test,DC=net

server-type microsoft

ldap-attribute-map JOB_ADMIN_MAP

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

group-policy JOB_ADMINS_GRP internal

group-policy JOB_ADMINS_GRP attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol ikev1

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value JOB_ADMINS_splitTunnelAcl

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy JOB_ADMINS_GRP

tunnel-group JOB_ADMINS ipsec-attributes

ikev1 pre-shared-key *****

LDAP Authentication Issues

Jatin Katyal — Wed, 01 May 2013 16:50:48 GMT

Here is what you need:

Under ldap attribute map you have group-policy name incorrectly configured. It should be JOB_ADMINS_GRP

-------------------------------------------------

ldap attribute-map JOB_ADMIN_MAP

map-name memberOf Group-Policy

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

--------------------------------------------------

In the noaccess group policy simultaneous sessions should be set to 0

-------------------------------------------

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

In the tunnel-group set the default-group-policy as noaccess because legimitate users should get the right group through ldap attribute map.

------------------------------------------------------------------

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy noaccess

In case it doesn't work....run the debug ldap 255 and send the debugs and new ldap config again.

Jatin Katyal

- Do rate helpful posts -

LDAP Authentication Issues

Alexander Deems — Wed, 01 May 2013 20:40:42 GMT

Jatin,

I have made the changes that you have mentioned, but now I am not able to authenticate with either account but they are showing both as successful when looking at the debug logs of ldap. If I look at the logs after beign authenticated they are both being applied to the noaccess policy.

Config: