08-27-2012 11:07 PM - edited 03-10-2019 07:28 PM
Hi,
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.
I have installed the ADAgent on a domain member Win2008 and configured as follows:
aaa-server ADAGENT_SERVER protocol radius
ad-agent-mode
aaa-server ADAGENT_SERVER (VPN) host 172.17.v.x key *****
I have configured the LDAP connection to the DC as follows:
aaa-server DOMAIN_SERVER protocol ldap
aaa-server DOMAIN_SERVER (VPN) host 172.17.v.z
ldap-base-dn DC=YYY,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn vvvvv
server-type microsoft
The identity config is as follows:
user-identity domain YYY aaa-server DOMAIN_SERVER
user-identity default-domain YYY
user-identity action netbios-response-fail remove-user-ip
user-identity logout-probe netbios local-system
user-identity ad-agent aaa-server ADAGENT_SERVER
user-identity user-not-found enable
access-list 122 extended permit ip user YYY\ashdew any any
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.
The ADagent has been properly tested and ASA can register to it.
The ASA can connect to AD DC controller and query user database.
I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity
Do I need to add extra rules in the access-list 122 to permit trafic to DC?
Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Thanks
Ashley
Solved! Go to Solution.
08-28-2012 01:43 AM
Hi Ashley,
You need to make sure the domain controller is configured appropriately, please follow the instructions mentioned here:
http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html#wp1058066 (Configuring AD Agent to Obtain Information from AD Domain Controllers)
I suggest to first verify login events are generated in the security event log of the domain controller. In Windows 2008 you will need to see event with ID number 4768. If they are not, you will need to change the audit policy as described in the link above.
08-27-2012 11:33 PM
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity
When the Domain-Controller doesn't see the authentication of the user, the ASA can never know that the user has a particular IP to allow the traffic. The Identity Firewall needs that Domain-Login-information to work,
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 11:42 PM
Hi Karsten,
Thanks for the advise,
So do I need to allow flows from the laptop to the DC,DNS for authentication ?
So, my access-list should include at least where 172.17.x.y is the DC.
access-list 122 extended permit ip user YYY\ashdew any any
access-list 122 extended permit ip 172.17.137.0 255.255.255.0 172.17.x.y
Is the sequencing ok? Or do I need to allow traffic to the DC first?
Thanks,
Ashley
08-28-2012 12:14 AM
To use the identity-firewall the user needs to authenticate to the domain. So the user needs the right to reach a domain-controller. This has to be configured with the IP-addresses in the ACL. After the user authenticates, the AD-Agent can see the successfull login on the DC-log and add the IP of the user to the mapping cache.
Depending on the systems you have on your DMZ it could be the wrong way to do that. If a system in the DMZ gets compromized, it can attack your domain-controller, so your DMZ not really is one.
In that solution the usage of the old and unloved cut-through-proxy could be the better way to achieve your goal.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 12:32 AM
Thanks Karsten,
Great its clear now. I know the DMZ seems a bit odd. Actually, the DMZ is only accessible through the any-connect VPN.
In the DMZ, we will have a citrix farm to access internal resources through identity management.
We are testing with a laptop in the first place.
Now, we have allowed in the acl to access AD, the laptop authenticates in the domain but then all connections are refused since the AD Agent is not retrieving the mapping.
Is there a way to check if the ADAgent is properly retrieved the mapping. We suspect the problem is here.
We did a capture on the ASA and we have found that the ASA contact the ADAgent when the user authenticates but then ADAgent does not return any ip mapping. The ASA sees the user as ip as user-not -found .
Thanks again for your help,
Ashley
08-28-2012 12:03 AM
Hi,
Please note that our user ADAgent User IP mapping cache remains 0 but the AD agent DC list status is up on the ASA.
Thanks
Ashley
08-28-2012 01:43 AM
Hi Ashley,
You need to make sure the domain controller is configured appropriately, please follow the instructions mentioned here:
http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html#wp1058066 (Configuring AD Agent to Obtain Information from AD Domain Controllers)
I suggest to first verify login events are generated in the security event log of the domain controller. In Windows 2008 you will need to see event with ID number 4768. If they are not, you will need to change the audit policy as described in the link above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide