本帖最后由 yanzha4 于 2015-6-16 14:46 编辑
ASA 可以通过LDAP 协议与 AD域控集成,完成用户认证。今天配置AnyConnect 用户 LDAP 认证。配置使用 ASDM 7.3, ASA9.2(1)版本, AD使用 windows2008 R2 enterprise。
1. 配置 LDAP 服务器
configuration --- remote access VPN --- AAA/local user --- AAA server groups --- 点击 add 添加,见图片1,2,3
2. 第二个 add,创建一个 AAA server,需要注意几点:
2.1 ASA 9.2(1)配置 login DN 和官方文档实例配置有所区别,按照官方文档配置会产生错误。
需要配置 Login DN 形式:ciscosmb\administrator
2.2 Login DN 的用户,需要配置权限最大用户。此例配置 administrator 为 domain admin 组。
3. 配置完成,点击 Test 测试。
4. 对于 AnyConnect VPN 配置,注意,需要使用到 member of属性,从而让ASA 能够从AD域控上找到对应的 user 信息;这样可以 针对不同OU中的 用户来做 单独的策略,非常方便。
5. 测试: 创建OU dep1, 将 user1 规划到 dep1 中。
6. ASA 配置,主要部分:
ASA Version 9.2(1)
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool vpnpool 192.168.0.100-192.168.1.200
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
ftp mode passive
access-list split extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 23
mtu outside 1500
ldap attribute-map group-to-policy
map-name memberOf IETF-Radius-Class
map-value memberOf CN=group1,OU=dep1,DC=ciscosmb,DC=com group1
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.1.100
ldap-base-dn dc=ciscosmb,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ciscosmb\administrator
server-type microsoft
ldap-attribute-map group-to-policy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-network-list value split
address-pools value vpnpool
username admin password f3UhLvUj1QsXsuK7 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP
!
7. 分别使用 user1 和 test1 登录测试
8. 如有问题,可以再 ASA上 debug LDAP 225. 以下为正常 认证过程 debug 输出信息
asa# debug ldap 225
debug ldap enabled at level 225
asa#
asa#
asa# test aaa-server authentication LDAP host 10.1.1.100
Username: test
Password: ********
INFO: Attempting Authentication test to IP address <10.1.1.100> (timeout: 12 seconds)
[-2147483644] Session Start
eout: 12 seconds)
[-2147483644] New request Session, context 0x00007fff68be6dc8, reqType = Authentication
[-2147483644] Fiber started
[-2147483644] Creating LDAP context with uri=ldap://10.1.1.100:389
[-2147483644] Connect to LDAP server: ldap://10.1.1.100:389, status = Successful
[-2147483644] supportedLDAPVersion: value = 3
[-2147483644] supportedLDAPVersion: value = 2
[-2147483644] Binding as ciscosmb\administrator
[-2147483644] Performing Simple authentication for ciscosmb\administrator to 10.1.1.100
[-2147483644] LDAP Search:
Base DN = [dc=ciscosmb,dc=com]
Filter = [sAMAccountName=user1]
Scope = [SUBTREE]
[-2147483644] User DN = [CN=user1,OU=dep1,DC=ciscosmb,DC=com]
[-2147483644] Talking to Active Directory server 10.1.1.100
[-2147483644] Reading password policy for user1, dn:CN=user1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] Read bad password count 0
[-2147483644] Binding as user1
[-2147483644] Performing Simple authentication for user1 to 10.1.1.100
[-2147483644] Processing LDAP response for user user1
[-2147483644] Message (user1):
[-2147483644] Authentication successful for user1 to 10.1.1.100
[-2147483644] Retrieved User Attributes:
[-2147483644] objectClass: value = top
INFO: Authentication Successful
asa# [-2147483644] objectClass: value = person
[-2147483644] objectClass: value = organizationalPerson
[-2147483644] objectClass: value = user
[-2147483644] cn: value = user1
[-2147483644] givenName: value = user1
[-2147483644] distinguishedName: value = CN=user1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] instanceType: value = 4
[-2147483644] whenCreated: value = 20150513074257.0Z
[-2147483644] whenChanged: value = 20150513074534.0Z
[-2147483644] displayName: value = user1
[-2147483644] uSNCreated: value = 16435
[-2147483644] memberOf: value = CN=group1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] uSNChanged: value = 16449
[-2147483644] name: value = user1
[-2147483644] objectGUID: value = .J..a..I.pZ....W
[-2147483644] userAccountControl: value = 512
[-2147483644] badPwdCount: value = 0
[-2147483644] codePage: value = 0
[-2147483644] countryCode: value = 0
[-2147483644] badPasswordTime: value = 0
[-2147483644] lastLogoff: value = 0
[-2147483644] lastLogon: value = 0
[-2147483644] pwdLastSet: value = 130759765780582343
[-2147483644] primaryGroupID: value = 513
[-2147483644] objectSid: value = ............WwH.........T...
[-2147483644] accountExpires: value = 9223372036854775807
[-2147483644] logonCount: value = 0
[-2147483644] sAMAccountName: value = user1
[-2147483644] sAMAccountType: value = 805306368
[-2147483644] userPrincipalName: value = user1@ciscosmb.com
[-2147483644] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=ciscosmb,DC=com
[-2147483644] dSCorePropagationData: value = 16010101000000.0Z
[-2147483644] lastLogonTimestamp: value = 130759767348229096
[-2147483644] Fiber exit Tx=510 bytes Rx=2444 bytes, status=1
[-2147483644] Session End
ASA 可以通过LDAP 协议与 AD域控集成,完成用户认证。今天配置AnyConnect 用户 LDAP 认证。配置使用 ASDM 7.3, ASA9.2(1)版本, AD使用 windows2008 R2 enterprise。
1. 配置 LDAP 服务器
configuration --- remote access VPN --- AAA/local user --- AAA server groups --- 点击 add 添加,见图片1,2,3
2. 第二个 add,创建一个 AAA server,需要注意几点:
2.1 ASA 9.2(1)配置 login DN 和官方文档实例配置有所区别,按照官方文档配置会产生错误。
需要配置 Login DN 形式:ciscosmb\administrator
2.2 Login DN 的用户,需要配置权限最大用户。此例配置 administrator 为 domain admin 组。
3. 配置完成,点击 Test 测试。
4. 对于 AnyConnect VPN 配置,注意,需要使用到 member of属性,从而让ASA 能够从AD域控上找到对应的 user 信息;这样可以 针对不同OU中的 用户来做 单独的策略,非常方便。
5. 测试: 创建OU dep1, 将 user1 规划到 dep1 中。
6. ASA 配置,主要部分:
ASA Version 9.2(1)
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool vpnpool 192.168.0.100-192.168.1.200
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
ftp mode passive
access-list split extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 23
mtu outside 1500
ldap attribute-map group-to-policy
map-name memberOf IETF-Radius-Class
map-value memberOf CN=group1,OU=dep1,DC=ciscosmb,DC=com group1
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.1.100
ldap-base-dn dc=ciscosmb,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ciscosmb\administrator
server-type microsoft
ldap-attribute-map group-to-policy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-network-list value split
address-pools value vpnpool
username admin password f3UhLvUj1QsXsuK7 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP
!
7. 分别使用 user1 和 test1 登录测试
8. 如有问题,可以再 ASA上 debug LDAP 225. 以下为正常 认证过程 debug 输出信息
asa# debug ldap 225
debug ldap enabled at level 225
asa#
asa#
asa# test aaa-server authentication LDAP host 10.1.1.100
Username: test
Password: ********
INFO: Attempting Authentication test to IP address <10.1.1.100> (timeout: 12 seconds)
[-2147483644] Session Start
eout: 12 seconds)
[-2147483644] New request Session, context 0x00007fff68be6dc8, reqType = Authentication
[-2147483644] Fiber started
[-2147483644] Creating LDAP context with uri=ldap://10.1.1.100:389
[-2147483644] Connect to LDAP server: ldap://10.1.1.100:389, status = Successful
[-2147483644] supportedLDAPVersion: value = 3
[-2147483644] supportedLDAPVersion: value = 2
[-2147483644] Binding as ciscosmb\administrator
[-2147483644] Performing Simple authentication for ciscosmb\administrator to 10.1.1.100
[-2147483644] LDAP Search:
Base DN = [dc=ciscosmb,dc=com]
Filter = [sAMAccountName=user1]
Scope = [SUBTREE]
[-2147483644] User DN = [CN=user1,OU=dep1,DC=ciscosmb,DC=com]
[-2147483644] Talking to Active Directory server 10.1.1.100
[-2147483644] Reading password policy for user1, dn:CN=user1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] Read bad password count 0
[-2147483644] Binding as user1
[-2147483644] Performing Simple authentication for user1 to 10.1.1.100
[-2147483644] Processing LDAP response for user user1
[-2147483644] Message (user1):
[-2147483644] Authentication successful for user1 to 10.1.1.100
[-2147483644] Retrieved User Attributes:
[-2147483644] objectClass: value = top
INFO: Authentication Successful
asa# [-2147483644] objectClass: value = person
[-2147483644] objectClass: value = organizationalPerson
[-2147483644] objectClass: value = user
[-2147483644] cn: value = user1
[-2147483644] givenName: value = user1
[-2147483644] distinguishedName: value = CN=user1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] instanceType: value = 4
[-2147483644] whenCreated: value = 20150513074257.0Z
[-2147483644] whenChanged: value = 20150513074534.0Z
[-2147483644] displayName: value = user1
[-2147483644] uSNCreated: value = 16435
[-2147483644] memberOf: value = CN=group1,OU=dep1,DC=ciscosmb,DC=com
[-2147483644] uSNChanged: value = 16449
[-2147483644] name: value = user1
[-2147483644] objectGUID: value = .J..a..I.pZ....W
[-2147483644] userAccountControl: value = 512
[-2147483644] badPwdCount: value = 0
[-2147483644] codePage: value = 0
[-2147483644] countryCode: value = 0
[-2147483644] badPasswordTime: value = 0
[-2147483644] lastLogoff: value = 0
[-2147483644] lastLogon: value = 0
[-2147483644] pwdLastSet: value = 130759765780582343
[-2147483644] primaryGroupID: value = 513
[-2147483644] objectSid: value = ............WwH.........T...
[-2147483644] accountExpires: value = 9223372036854775807
[-2147483644] logonCount: value = 0
[-2147483644] sAMAccountName: value = user1
[-2147483644] sAMAccountType: value = 805306368
[-2147483644] userPrincipalName: value = user1@ciscosmb.com
[-2147483644] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=ciscosmb,DC=com
[-2147483644] dSCorePropagationData: value = 16010101000000.0Z
[-2147483644] lastLogonTimestamp: value = 130759767348229096
[-2147483644] Fiber exit Tx=510 bytes Rx=2444 bytes, status=1
[-2147483644] Session End
