topic Re: IPSec Cisco client authentication based on AD group membersh in Network Access Control

IPSec Cisco client authentication based on AD group membership

JohnMeggers — Sun, 10 Mar 2019 23:39:56 GMT

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.

We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership. I'm just stumped with how to kick off the second step to check group membership.

Anyone have a sample config floating around?

Re: IPSec Cisco client authentication based on AD group membersh

Jatin Katyal — Fri, 28 Aug 2009 11:48:52 GMT

Hi John,

I went through your detailed explanation and screen shot attached. Your config still need some changes....like scope and LDAP attribute map.

Here is a sample config that you may refer:::

- Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

ldap attribute-map LDAP-MAP

map-name memberOf IETF-Radius-Class

map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

.....

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

group-policy noaccess attributes

vpn-simultaneous-logins 1

If this doesn't work for you then attach "Sh run" from the ASA in your next reply and debug ldap 255.

HTH

Regards,

Re: IPSec Cisco client authentication based on AD group membersh

JohnMeggers — Mon, 31 Aug 2009 14:03:03 GMT

Hi Jatin,

Thanks for your QUICK reply. I was hoping to work on this over the weekend but had other obligations. I prefer to do this stuff outside of regular business hours - so I'll be testing over the next few evenings. I'll post back with results.

Thanks,

JTM

Re: IPSec Cisco client authentication based on AD group membersh

jar371 — Wed, 15 Feb 2012 20:41:37 GMT

Hi Jatin,

I would also like to setup the same configuration as John. I'm following your config and trying to create those settings in ASDM. However, when creating the ldap attribute-map, "IETF-Radius-Class" is not an option in the drop down box. Please advise?

Thanks,

PS - I have attached a screenshot.