Re: Cisco ASA - Authenticate users of a specific LDAP group

sergio.paganoni · ‎04-19-2010

Hi There,

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510:

access-list PublicVLAN_authentication remark Authenticate user from Hotspot (VLAN3) before allowing HTTP traffic
access-list PublicVLAN_authentication extended permit tcp 192.168.12.0 255.255.255.0 any eq www

aaa authentication match PublicVLAN_authentication PublicVLAN LDAP_HOTSPOT

aaa-server LDAP_HOTSPOT protocol ldap
aaa-server LDAP_HOTSPOT (inside) host XXXXXX
ldap-base-dn CN=Users, DC=XXXX,DC=XXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password xxxx
ldap-login-dn CN=xxxx,CN=Users,DC=xxxxx,DC=xxxxx
server-type microsoft

This is working correctly and I can authenticate all users in my domain.

Now I've created a new LDAP Group named http_authorized_users and I've associated users who are permitted to surf the web to it.

How can I specify to authenticate just users member of a specific LDAP group?

As you can see in the image I've my group and I've associated the user TestInterno, but how can I modify my LDAP_HOTSPOT to authenticate just user who are member of the http_authorized_users group (in the example below just the user TestInterno is associated to the group)?

If not possible with LDAP, which other solution may I have to do this?

Thanks a lot!

Sergio

dtochilovsky · ‎04-20-2010

Sergio, try changing the ldap-base-dn to the http_authorized_users group :

ldap-base-dn CN=http_authorized_users CN=Users, DC=XXXX,DC=XXX

See if that works.

Dmitry.

sergio.paganoni · ‎04-20-2010

Hi Dmitry,

It was the first thing I tried, but unfortunately it didnt work, as seen in my configuration I search the username in the attribute sAMAccountName and in the Group the user are part of the member attribute....

I also tried to change de Attirbute Name to "member" but it didnt work, probably because he cant search between multiple users inside member, and he also need to "take" the right one and authenticate it...

Debugging with

debug ldap 255

Result:

[1879] Session Start
[1879] New request Session, context 0xd7ec6560, reqType = Authentication
[1879] Fiber started
[1879] Creating LDAP context with uri=ldap://192.168.1.70:389
[1879] Connect to LDAP server: ldap://192.168.1.70:389, status = Successful
[1879] supportedLDAPVersion: value = 3
[1879] supportedLDAPVersion: value = 2
[1879] Binding as FirewallSSL
[1879] Performing Simple authentication for XXXXXXX to 192.168.1.70
[1879] LDAP Search:
        Base DN = [CN=Users,DC=xxxx,DC=xxx]
        Filter  = [sAMAccountName=testinterno]
        Scope   = [SUBTREE]
[1879] User DN = [CN=TestInterno,CN=Users,DC=xxxx,DC=xxxx]
[1879] Talking to Active Directory server 192.168.1.70
[1879] Reading password policy for testinterno, dn:CN=TestInterno,CN=Users,DC=xxx,DC=xxxx
[1879] Read bad password count 0
[1879] Binding as testinterno
[1879] Performing Simple authentication for testinterno to 192.168.1.70
[1879] Processing LDAP response for user testinterno
[1879] Message (testinterno):
[1879] Authentication successful for testinterno to 192.168.1.70
[1879] Retrieved User Attributes:
[1879]  objectClass: value = top
[1879]  objectClass: value = person
[1879]  objectClass: value = organizationalPerson
[1879]  objectClass: value = user
[1879]  cn: value = TestInterno
[1879]  description: value = Per test Anyconnect - da cancellare
[1879]  givenName: value = TestInterno
[1879]  distinguishedName: value = CN=TestInterno,CN=Users,DC=xxx,DC=xxx
[1879]  instanceType: value = 4
[1879]  whenCreated: value = 20100413124838.0Z
[1879]  whenChanged: value = 20100413124853.0Z
[1879]  displayName: value = TestInterno
[1879]  uSNCreated: value = 25123467
[1879]  memberOf: value = CN=http_authorized_users,CN=Users,DC=xxxx,DC=xxxx
[1879]  memberOf: value = CN=AnyconnectInterni,CN=Users,DC=xxxxx,DC=xxxx
[1879]  uSNChanged: value = 25123477
[1879]  name: value = TestInterno
[1879]  objectGUID: value = .am SVZF..@8.*..
[1879]  userAccountControl: value = 66048
[1879]  badPwdCount: value = 0
[1879]  codePage: value = 0
[1879]  countryCode: value = 0
[1879]  badPasswordTime: value = 129161569854641952
[1879]  lastLogoff: value = 0
[1879]  lastLogon: value = 129161570079951568
[1879]  pwdLastSet: value = 129156365187480989
[1879]  primaryGroupID: value = 513
[1879]  objectSid: value = ............qO.H.!N.........
[1879]  accountExpires: value = 9223372036854775807
[1879]  logonCount: value = 0
[1879]  sAMAccountName: value = TestInterno
[1879]  sAMAccountType: value = 805306368
[1879]  userPrincipalName: value = TestInterno@xxxxx.xxx
[1879]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxx,DC=xxx
[1879] Fiber exit Tx=542 bytes Rx=2258 bytes, status=1
[1879] Session End

I see that the LDAP server return all the attributes I should need, but I don't know how to configure it properly!

As you see authentication is successfull (for all the users) but what's the way to authenticate just users who are member of http_authorized_users?

dtochilovsky · ‎04-21-2010

I found this blog entry that may help things -

http://www.staticnat.com/WP/2007/08/10/asa-ldap-auth-the-nice-and-easy-way/

See if there is any info that may help.

sergio.paganoni · ‎04-21-2010

Hi,

Thanks for the reply, unfortunatelly in the website you mentioned there is nothing on LDAP Group but just on LDAP authentication via ASA...

Any others?

dtochilovsky · ‎04-22-2010

Sergio, try this link -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

It explains how to set up a mapping to a specific LDAP attribute, and deals with users in different groups.

See if that document helps.

sergio.paganoni · ‎04-22-2010

Yes, I've used this procedure to bind the LDAP group to a specific group policy for the SSL VPN and, as I've understood, this works only for VPN...

How can I bind a Group Policy to my authentication rule? I think is not possibile, but there are surely other way to do what I need, not?

dtochilovsky · ‎04-22-2010

What about RADIUS? You can set up Radius on a MS Windows server.

http://support.mof.go.th/radius_windows.html

http://technet.microsoft.com/en-us/network/bb643123.aspx

tthulin · ‎09-01-2010

Did you ever get a solution to this issue. We are running into a similar situation. We only allow users of a very specific group to come into VPN.Our method so far is as follows. If someone has run across a better method.. Please let me know.. this feels a little.. awkward.

Our ipsec policy defaults users to a group policy that does not allow IPSEC, or any tunnel protocols, but during the ipsec auth process we catch the auth with an ldap attribute map. This map changes the group policy of the giving user to a policy that allows ipsec.

In essence users will be denied access unless the ldap attribute matches. This method does work for us, but there has to be a better, cleaner way.

Thank you,

Tim

brian.dickerson · ‎09-14-2010

I also use an ldap attribute map. In my case, the ldap attribute map matches to a group policy, and that group policy maps to an assigned address pool. So, if you were a defined user in an undefuned group, you would not receive an IP address from the concentrator. This lets me use a single attribute map for a large number of different groups. Quick example:

aaa-server user-LDAP (outside) host x.x.x.x
ldap-attribute-map User2LDAP

ldap attribute-map User2LDAP
map-name ********** IETF-Radius-Class
map-value ********** "cn=XXXXXXXXXX" ABC_User
map-value ********** "cn=XXXXXXXXXX" DEF_User

group-policy ABC_User internal
group-policy ABC_User attributes
address-pools value ABC-User-Pool

group-policy DEF_User internal
group-policy DEF_User attributes
address-pools value DEF-User-Pool

trustcisco · ‎09-22-2010

Hello,

Any updates regarding this issue ? i have read several documents about the LDAP Attributes. Most of them map the AD/LDAP attribute memberOf to the ASA attribute CVPN3000-Radius-IETF-Class. However this attribute cannot be found to 8.3, neither the IETF-Radius-Class.

Thanks,

Jim.

liboucher · ‎11-23-2010

Hi Jim,

Although IETF-Radius-Class cannot be found in ASDM, you can use it through CLI

ciscoasa(config)# ldap attribute-map grp_SSL
ciscoasa(config-ldap-attribute-map)# map-name memberOf ?

ldap mode commands/options:
cisco-attribute-names:
Access-Hours
Allow-Network-Extension-Mode

...
IE-Proxy-Method
IE-Proxy-Server
IETF-Radius-Class
IETF-Radius-Filter-Id

Lionel

keitho · ‎05-31-2011

aaa-server LDAP (inside) host domaincontroller.yourplace.com
ldap-base-dn DC=yourplace,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn LDAPaccountname@yourplace.com

server-type microsoft

ldap-attribute-map SSLLoginName

ldap attribute-map SSLLoginName
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPNGROUPNAME,,OU=level2,OU=Level1,DC=yourplace,DC=com accesspolicyname