The security appliance supports Lightweight Directory Access Protocol (LDAP) Version 3. In the current release, it is compatible only with the Sun Microsystems JAVA System Directory Server (which is formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. In later releases, the security appliance supports other OpenLDAP servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP directory server. But, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft or Sun server, you can manually configure the server type.
Complete these steps in order to configure authentication for VPN clients with LDAP directory server:
Configure ASA for LDAP authentication. This example sets the LDAP directory server (ldap_dir_1) to the Sun Microsystems type:
hostname(config)#aaa-server ldap_dir_1 protocol ldap hostname(config-aaa-server-group)#aaa-server ldap_dir_1 host 10.1.1.4 hostname(config-aaa-server-host)#server-type sun
Set up authorization for VPN access. When the LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server, which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, the use of LDAP accomplishes authentication and authorization in a single step. There can be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate server for authentication, no authorization information is passed back. For user authorizations in this case, you can query an LDAP directory after successful authentication, and accomplish authentication and authorization in two steps.
In order to set up VPN user authorization with LDAP, you must first create a AAA server group and a tunnel group. You then associate the server and tunnel groups with the tunnel-group general-attributes command. While there are other authorization-related commands and options available for specific requirements, this example shows fundamental commands to enable user authorization with LDAP. This example then creates an IPsec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
After you complete this fundamental configuration work, you can configure additional LDAP authorization parameters such as a directory password, a starting point for searching a directory, and the scope of a directory search:
Hi everyone!I have a task to integrate ASA 5516 with LDAP for implementing cut-through proxy feature with AD authentication.I have successfully got connected with the AAA server but the problem is - there are non-ASCII (Cyrillic) symbols in AD groups name...
Hi Team,I wanted to make you aware that we will have a series of monthly 30-45 minute technical webinars regarding the migration to Snort 3 This is highly relevant for ALL FirePower customers. The content is technical in nature and is designed to all...
Hi, if NMAP is used for Profiling devices is there some kind of interval which reruns the scan to check if the device is still the same.I know there is some kind of overload protection for the Node but is there some kind of verification like (if nmap...
struggling trying to get this working with site-to-site tunnels, local subnets to tunnel and tunnel to local subnets work as expected, however from tunnel a to tunnel b no traffic, packet tracer shows everything is good but no go. any ideas would sure hel...