cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2901
Views
5
Helpful
3
Replies

ASA - AAA server group to AD via LDAP

jlmickens
Level 1
Level 1

Hope this is the right category for this issue...

I am trying to set up SSL VPN for my users with an ASA.  I am using a 5505 in my lab.  The VPN users will need to authenticate against the Active Directory.  I set up the AAA server using LDAP to a Microsoft server.  Everything works fine without any encryption.  If I try to use LDAP over SSL or use SASL MD5 authentication, it errors out on me.  I've spoken with the Active Directory admins in our company and they stated that SSL over port 636 does not work, but that TLS over port 389 does.  They have tested this with the Microsoft LDAP admin tool.

Is there an option for using LDAP over TLS?  I tried setting it to use SSL on port 389, but it didn't work.  Also, if I try to turn on the SASL MD5 authentication, the debug tells me that "another step is needed in authentication".

Debug output from trying to use MD5:

FWANLAB# test aaa-server authentication Buckeye-AD host 172.16.173.75 username...
INFO: Attempting Authentication test to IP address <172.16.173.75> (timeout: 10 seconds)
[-2147483630] Session Start
[-2147483630] New request Session, context 0xcce4a35c, reqType = Authentication
[-2147483630] Fiber started
[-2147483630] Creating LDAP context with uri=ldap://172.16.173.75:389
[-2147483630] Connect to LDAP server: ldap://172.16.173.75:389, status = Successful
[-2147483630] supportedLDAPVersion: value = 3
[-2147483630] supportedLDAPVersion: value = 2
[-2147483630] Binding as VPN LDAP
[-2147483630] Performing SASL authentication for VPN LDAP to 172.16.173.75
[-2147483630] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
[-2147483630] hostname = 172.16.173.75
[-2147483630] SASL authentication start with mechanism DIGEST-MD5 for VPN LDAP
[-2147483630] getsimple:4002 [VPN LDAP]
[-2147483630] getsimple:4001 [VPN LDAP]
[-2147483630] getsecret: [***************]
[-2147483630] SASL step for VPN LDAP returned code (1) another step is needed in authentication
[-2147483630] SASL authentication for VPN LDAP with mechanism DIGEST-MD5 rejected
[-2147483630] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483630] Fiber exit Tx=632 bytes Rx=912 bytes, status=-2
[-2147483630] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
FWANLAB# test aaa-server authentication Buckeye-AD host 172.16.173.75 username$
INFO: Attempting Authentication test to IP address <172.16.173.75> (timeout: 10 seconds)

I haven't been able to find any information on this last issue.  I've tried various combinations with the two settings (SSL and MD5), but can't get either one to work.

The ASA 5505 is running Version 9.1(6)8.

Current config that works without encryption:

aaa-server Buckeye-AD protocol ldap
aaa-server Buckeye-AD (inside) host 172.16.173.75
 timeout 5
 server-port 389
 ldap-base-dn dc=buckeyehq, dc=com
 ldap-group-base-dn dc=buckeyehq, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=VPN LDAP,OU=Service Accounts,DC=buckeyehq,DC=com
 server-type microsoft

If anyone can point me in the right direction, I'd appreciate it.

3 Replies 3

ChristopherGDay
Level 1
Level 1

Here is the solution....

#first create the AAA server group and select protocol LDAP the name can what you like

aaa-server LDAP-XXX-AD protocol ldap

#Second associate ldap maps to server

ldap attribute-map LDAP_memberOf_ServiceType

#Third Associate values to the ldap map - this is what determines what members will have access by linking to a AD group. memberOf is case specific and translates to what type of LDAP query is being made.


 map-name memberOf IETF-Radius-Service-Type -  
 map-value memberOf memberOf CN=Group which should have access,OU=Network,OU=Security,OU=DOMAIN

#Fifth Create AAA server

aaa-server LDAP-SOS-AD (outside) host 'IP ADDRESS'

ldap-base-dn 'OU Where the users will reside' DC=XXX,DC=XXX.DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password #Password for account which allows access to AD
ldap-login-dn #Username for account which allows access to AD
server-type microsoft
ldap-attribute-map LDAP_memberOf_ServiceType #LDAP Attribute name

#Seven enable AAA for SSH AND enable

aaa authentication ssh console LDAP-XXX-AD LOCAL
aaa authentication enable console LDAP-XXX-AD LOCAL

I hope this helps. 

Thanks christophergday.  Unfortunately a little late.  I no longer have the lab ASA to validate the setup.  The company wound up purchasing some Pulse Secure gear.

Hi ChristopherGDay,

I have the same problem as

ldap attribute-map VPNUSERSGROUP
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf memberOf CN=VPNUSERS,OU=Multi-site,OU=Permissions,OU=Groups,OU=VMG,DC=ad,DC=mydomain,DC=com

aaa-server VMG_LDAP protocol ldap
aaa-server VMG_LDAP (VRFPrivate) host 192.168.110.11
 ldap-base-dn cn=Users,dc=ad,dc=mydomain,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cvl-asa-5505-f1@ad.mydomain.com
 sasl-mechanism digest-md5
 server-type microsoft
 ldap-attribute-map VPNUSERSGROUP

group-policy ikev2-policy internal
group-policy ikev2-policy attributes
 vpn-tunnel-protocol ikev2
group-policy VPNUSERSPOLICY internal
group-policy VPNUSERSPOLICY attributes
 wins-server none
 dns-server value 192.168.110.11 192.168.110.6
 vpn-filter value VPNUSERS
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITTUNNEL
 default-domain value ad.mydomain.com

tunnel-group VPNUSERS type remote-access
tunnel-group VPNUSERS general-attributes
 address-pool VPNPOOL
 authentication-server-group VMG_LDAP
 default-group-policy VPNUSERSPOLICY
tunnel-group VPNUSERS webvpn-attributes
 group-alias VPNUSERS enable

If I remove the line "authentication-server-group VMG_LDAP" everything works perfectly (with a local used). But as soon as I add it, I can't authenticate. Here is the debug I get:

# test aaa-server authentication VMG_LDAP host 192.168.110.11 username CVL-ASA-5505-F1 password ********

INFO: Attempting Authentication test to IP address <192.168.110.11> (timeout: 12 seconds)
[-2147483609] Session Start
[-2147483609] New request Session, context 0xcea9b458, reqType = Authentication
[-2147483609] Fiber started
[-2147483609] Creating LDAP context with uri=ldap://192.168.110.11:389
[-2147483609] Connect to LDAP server: ldap://192.168.110.11:389, status = Successful
[-2147483609] supportedLDAPVersion: value = 3
[-2147483609] supportedLDAPVersion: value = 2
[-2147483609] Binding as cvl-asa-5505-f1@ad.mydomain.com
[-2147483609] Performing SASL authentication for cvl-asa-5505-f1@ad.mydomain.com to 192.168.110.11
[-2147483609] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
[-2147483609] hostname = 192.168.110.11
[-2147483609] SASL authentication start with mechanism DIGEST-MD5 for cvl-asa-5505-f1@ad.mydomain.com
[-2147483609] getsimple:4002 [cvl-asa-5505-f1@ad.mydomain.com]
[-2147483609] getsimple:4001 [cvl-asa-5505-f1@ad.mydomain.com]
[-2147483609] getsecret: [**************]
[-2147483609] SASL step for cvl-asa-5505-f1@ad.mydomain.com returned code (1) another step is needed in authentication
[-2147483609] SASL authentication for cvl-asa-5505-f1@ad.mydomain.com with mechanism DIGEST-MD5 rejected
[-2147483609] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483609] Fiber exit Tx=638 bytes Rx=1003 bytes, status=-2
[-2147483609] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Any idea ?

Any help would be greatly appreciated.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: