topic Re: Cisco ASA LDAP Authentification in Network Security

Cisco ASA LDAP Authentification

nshchukin — Fri, 21 Feb 2020 15:14:02 GMT

Hello!
I'd like to configure access for Cisco ASA administration for a specific domain group. To this end, I indicated that only members of the "Cisco ASA Admins" group can log in through the SSH or ASDM to the firewall.
But during testing I found out that any member of the domain can log in with privileged rights to Cisco ASA. Tell me, please, where is the error?

ldap attribute-map Cisco_ASA_Admins
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf memberOf "CN=Cisco ASA Admins,OU=Services Security Groups,OU=Groups,OU=XXX,DC=XXX,DC=local"
aaa-server Cisco_ASA_Admins protocol ldap
aaa-server Cisco_ASA_Admins (Servers) host y.y.y.y
 ldap-base-dn DC=XXX,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=cisco.srv.account,OU=Services Accounts,OU=Users,OU=XXX,DC=XXX,DC=local
 server-type microsoft
 ldap-attribute-map Cisco_ASA_Admins
user-identity default-domain LOCAL
aaa authentication enable console Cisco_ASA_Admins LOCAL
aaa authentication http console Cisco_ASA_Admins LOCAL
aaa authentication ssh console Cisco_ASA_Admins LOCAL
aaa authorization command LOCAL

Re: Cisco ASA LDAP Authentification

Bogdan Nita — Tue, 30 Jan 2018 12:12:45 GMT

As far as I know the ldap attribute-map can be used only for restricting VPN access and not for management access to the ASA .

HTH

Bogdan

Re: Cisco ASA LDAP Authentification

nshchukin — Tue, 30 Jan 2018 12:35:15 GMT

Thanks for the answer.

How can I setup access to the ASA based on membership in the domain security group?

Re: Cisco ASA LDAP Authentification

Bogdan Nita — Tue, 30 Jan 2018 14:01:42 GMT

You can use radius. You could activate the Network Policy and Access Services role on your DC.

You can then configure a policy to permit the desired groups to access the ASA.

http://nil.uniza.sk/windows/windows-2016-server/asa-aaa-authentication-against-windows-2016-server-ad

Re: Cisco ASA LDAP Authentification

jewfcb001 — Tue, 30 Jan 2018 16:33:20 GMT

Hi nshchukin ,

LDAP Server , What is the version of windows server ? and you enable LDAP over SSL or not while configure ?

I implement same situation but not working for TLS 1.2 on LDAP

Re: Cisco ASA LDAP Authentification

nshchukin — Thu, 01 Feb 2018 08:38:20 GMT

I'm using Windows Server 2012 without enable LDAP over SSL.

Re: Cisco ASA LDAP Authentification

jewfcb001 — Thu, 01 Feb 2018 09:24:00 GMT

Hi nshchukin ,

On Windows server policy you enable LDAP TLS 1.2 or not ?

Re: Cisco ASA LDAP Authentification

nshchukin — Thu, 01 Feb 2018 17:31:41 GMT

I do not remember, since I set up the NAP for a long time. How can I check this?

Re: Cisco ASA LDAP Authentification

nshchukin — Thu, 19 Apr 2018 09:40:35 GMT

It was possible to solve the problem without using the Radius-server.

I added a line:

aaa authorization http console Cisco_ASA_Admins

Now access to ASDM is allowed only for the group Cisco_ASA_Admins.