Core issue
The security appliance supports Lightweight Directory Access Protocol (LDAP) Version 3. In the current release, it is compatible only with the Sun Microsystems JAVA System Directory Server (which is formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. In later releases, the security appliance supports other OpenLDAP servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP directory server. But, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft or Sun server, you can manually configure the server type.
Resolution
Complete these steps in order to configure authentication for VPN clients with LDAP directory server:
- Configure ASA for LDAP authentication. This example sets the LDAP directory server (ldap_dir_1) to the Sun Microsystems type:
hostname(config)#aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)#aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)#server-type sun
Set up authorization for VPN access. When the LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server, which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, the use of LDAP accomplishes authentication and authorization in a single step.
There can be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate server for authentication, no authorization information is passed back. For user authorizations in this case, you can query an LDAP directory after successful authentication, and accomplish authentication and authorization in two steps.
In order to set up VPN user authorization with LDAP, you must first create a AAA server group and a tunnel group. You then associate the server and tunnel groups with the tunnel-group general-attributes command. While there are other authorization-related commands and options available for specific requirements, this example shows fundamental commands to enable user authorization with LDAP. This example then creates an IPsec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
hostname(config)#tunnel-group remote-1 type ipsec-ra
hostname(config)#tunnel-group remote-1 general-attributes
hostname(config-general)#authorization-server-group ldap_dir_1
After you complete this fundamental configuration work, you can configure additional LDAP authorization parameters such as a directory password, a starting point for searching a directory, and the scope of a directory search:
hostname(config)#aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)#aaa-server ldap_dir_1 host x.x.x.x
hostname(config-aaa-server-host)#ldap-login-dn obscurepassword
hostname(config-aaa-server-host)#ldap-base-dn starthere
hostname(config-aaa-server-host)#ldap-scope subtree
Refer to the Configuring the Group Policy for LDAP Authorization section of Configuring an LDAP AAA Server for more information about the configuration with ASDM.