Solved: cisco asa ldap auth

Benjamin Saito · ‎01-30-2015

I have a cisco asa 5515, and the user is very specific on how he wants is set up. He has an admin group and a enduser group created on his AD server. I created 2 connection profiles on the ASA for the ssl vpn for each group he created. I was able to set it up, using attribute maps, so that the admin group could only log into the admin connection profile and the enduser group could only log into the enduser connection profile. The only problem is he has users in the default "domain users" group on his server that can log into both connection profiles. From what I understand you can't use the memberOf attribute for the domain users group, so I can't restrict that group the same way I restricted the other groups. Anyone have any idea on how I can set this up? Thanks!

joe19366 · ‎01-30-2015

That solution worked for me!

username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)

username: jennifer = in active directory OU carolco-Users

Michael could NOT login :)

aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
server-type auto-detect

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)

View solution in original post

joe19366 · ‎01-30-2015

if you create two LDAP server aaa groups and set the BASE DN to the OU your looking to match to the SSL VPN group so that each SSL VPN has a different authentication server (even if it points to the same Active Directory DC IP)

Now, can the "domain users" login to these groups? :)

I have a few ideas - just going for the low hanging fruit first before i fire up the security lab ASA's :)

joe19366 · ‎01-30-2015

That solution worked for me!

username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)

username: jennifer = in active directory OU carolco-Users

Michael could NOT login :)

aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
server-type auto-detect

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)

Benjamin Saito · ‎02-03-2015

Thanks for the help Joe, that worked for me. What we did was move all the vpn users in one big group and changed the base dn on the asa to use the new OU. The attribute map controls who is allowed to log into which connection profile.

Benjamin Saito · ‎03-16-2015

Well I have the exact same issue again, but this time this solution isn't working. The reason being is the customer, who manages their own AD server, has a space in the base dn path. I have read in the documentation that spaces aren't allowed, but I see in the "Login DN" path that there are spaces in that and it works. Unfortunately I didn't set this up originally and I do not know who did, so I do not know how they set it up. This is what the login DN path looks like: CN=LDAP\, VPN,OU=BB Service Accounts,OU=BB,DC=us,DC=jet,DC=asad. Right now I have it set up so they can log in, but users that aren't supposed to have access can log in because the base dn isn't set correctly right now.

I can't seem to find any documentation on how to get this working with that space included in the base dn. Any help would be greatly appreciated.

Benjamin Saito · ‎03-16-2015

This is the error I am seeing when running debugging:

[109349] LDAP Search:
        Base DN = [CN=BBUsers,OU=Domain,OU=BB Groups,OU=BB,DC=us,DC=test,DC=jet]
        Filter = [sAMAccountName=venosr]
        Scope   = [SUBTREE]
[109349] User venosr not found
[109349] Fiber exit Tx=376 bytes Rx=611 bytes, status=-1
[109349] Session End

I know for a fact he is in the group because I can see it as a memberof attribute when he can connect.