Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2129
Views
5
Helpful
8
Replies

Cisco ASA LDAP Authentification

Go to solution
nshchukin
Level 1
Level 1

‎01-30-2018 02:40 AM - edited ‎02-21-2020 07:14 AM

Hello!
I'd like to configure access for Cisco ASA administration for a specific domain group. To this end, I indicated that only members of the "Cisco ASA Admins" group can log in through the SSH or ASDM to the firewall.
But during testing I found out that any member of the domain can log in with privileged rights to Cisco ASA. Tell me, please, where is the error?

ldap attribute-map Cisco_ASA_Admins
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf memberOf "CN=Cisco ASA Admins,OU=Services Security Groups,OU=Groups,OU=XXX,DC=XXX,DC=local"
aaa-server Cisco_ASA_Admins protocol ldap
aaa-server Cisco_ASA_Admins (Servers) host y.y.y.y
 ldap-base-dn DC=XXX,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=cisco.srv.account,OU=Services Accounts,OU=Users,OU=XXX,DC=XXX,DC=local
 server-type microsoft
 ldap-attribute-map Cisco_ASA_Admins
user-identity default-domain LOCAL
aaa authentication enable console Cisco_ASA_Admins LOCAL
aaa authentication http console Cisco_ASA_Admins LOCAL
aaa authentication ssh console Cisco_ASA_Admins LOCAL
aaa authorization command LOCAL
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to nshchukin

‎01-30-2018 06:01 AM

You can use radius. You could activate the Network Policy and Access Services role on your DC.

You can then configure a policy to permit the desired groups to access the ASA.

http://nil.uniza.sk/windows/windows-2016-server/asa-aaa-authentication-against-windows-2016-server-ad

View solution in original post

8 Replies 8

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-30-2018 04:12 AM

As far as I know the ldap attribute-map can be used only for restricting  VPN access and not for management access to the ASA .

 

HTH

Bogdan

0 Helpful

Go to solution
nshchukin
Level 1
Level 1
In response to Bogdan Nita

‎01-30-2018 04:35 AM

Thanks for the answer.

How can I setup access to the ASA based on membership in the domain security group?

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to nshchukin

‎01-30-2018 06:01 AM

You can use radius. You could activate the Network Policy and Access Services role on your DC.

You can then configure a policy to permit the desired groups to access the ASA.

http://nil.uniza.sk/windows/windows-2016-server/asa-aaa-authentication-against-windows-2016-server-ad

Go to solution
jewfcb001
Level 4
Level 4

‎01-30-2018 08:32 AM - edited ‎01-30-2018 08:33 AM

Hi  nshchukin ,

 

LDAP Server , What is the version of windows server ? and you enable LDAP over SSL or not while configure ?

 I implement same situation but  not working for TLS 1.2 on LDAP 

 

0 Helpful

Go to solution
nshchukin
Level 1
Level 1
In response to jewfcb001

‎02-01-2018 12:38 AM

 

Hi, jewfcb001
 
 

I'm using Windows Server 2012 without enable LDAP over SSL.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to nshchukin

‎02-01-2018 01:24 AM

Hi nshchukin ,

 

On Windows server policy you enable LDAP TLS 1.2 or not ? 

0 Helpful

Go to solution
nshchukin
Level 1
Level 1
In response to jewfcb001

‎02-01-2018 09:31 AM

I do not remember, since I set up the NAP for a long time. How can I check this?

0 Helpful

Go to solution
nshchukin
Level 1
Level 1

‎04-19-2018 02:40 AM

It was possible to solve the problem without using the Radius-server.

I added a line:

aaa authorization http console Cisco_ASA_Admins

 

Now access to ASDM is allowed only for the group Cisco_ASA_Admins.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card