Remote Access VPN authentication with LDAP SERVER

• Introduction
• Prerequisites
• Components Used
• interface configuration
• Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface:
• Configuring an Address Pool:
• Adding a User:
• Creating a Transform Set:
• Creating a Tunnel group:
• Creating a Dynamic crypto map:
• Creating a Crypto Map Entry to Use the Dynamic Crypto Map:
• Configuring LDAP server on the ASA:
• Assigning LDAP server under tunnel group
• Verification -Test with CLI:
• More Information

Introduction

This document provides an example on how to configure Remote Access VPN on ASA and do the authentication using LDAP server.

Prerequisites

ASA and LDAP server both should be reachable.

Components Used

1. ASA 8.2
2. LDAP (Microsoft)

Configuration Remote Access VPN on ASA:

interface configuration

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outsidehostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface: 

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool:

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

Adding a User:

hostname(config)# username testuser password 12345678

Creating a Transform Set:

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 

Creating a Tunnel group:

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributeshostname(config-general)# address-pool testpoolhostname(config)# tunnel-group testgroup ipsec-attributeshostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map:

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

Creating a Crypto Map Entry to Use the Dynamic Crypto Map:

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Configuring LDAP server on the ASA:

ciscoasa(config-aaa-server-group)#aaa-server LDAP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-password **********
ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
ciscoasa(config-aaa-server-host)#ldap-scope subtree
ciscoasa(config-aaa-server-host)#server-type microsoft
ciscoasa(config-aaa-server-host)#exit

Assigning LDAP server under tunnel group

ciscoasa(config)#tunnel-group testgroup general-attributes ciscoasa(config-tunnel-general)#authentication-server-group LDAP

Verification - Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication LDAP host 192.168.1.2
   username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
   (timeout: 12 seconds)
INFO: Authentication Successful

Troubleshoot:

​If unsure of the current DN string to use, you can issue the dsquery command on a Windows Active Driectory server from a command prompt in  order to verify the appropriate DN String of a user object.

C:\Documents and Settings\Administrator>dsquery user -samid cisco!--- Queries Active Directory for samid id "cisco""CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"

The debug ldap 255 command can help to troubleshoot authentication problems in this  scenario. This command enables LDAP debugging and allows you to watch  the process that the ASA uses to connect to the LDAP server.

This debug shows a successful authentication:

ciscoasa#debug ldap 255[7] Session Start
[7] New request Session, context 0xd4b11730, reqType = 1
[7] Fiber started
[7] Creating LDAP context with uri=ldap://192.168.1.2:389
[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[7] supportedLDAPVersion: value = 3
[7] supportedLDAPVersion: value = 2
[7] supportedSASLMechanisms: value = GSSAPI
[7] supportedSASLMechanisms: value = GSS-SPNEGO
[7] supportedSASLMechanisms: value = EXTERNAL
[7] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server for admin bind and search for cisco.[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[7] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2
[7] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com

!--- The ASA binds to the LDAP server as cisco to test the password.[7] Binding as user
[7] Performing Simple authentication for kate to 192.168.1.2
[7] Checking password policy for user cisco
[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] Authentication successful for kate to 192.168.1.2
[7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:
[7]     objectClass: value = top
[7]     objectClass: value = person
[7]     objectClass: value = organizationalPerson
[7]     objectClass: value = user
[7]     cn: value = cisco
[7]     givenName: value = cisco
[7]     distinguishedName: value = CN=cisco,CN=Users,DC=ftwsecurity,
           DC=cisco,DC=com
[7]     instanceType: value = 4
[7]     whenCreated: value = 20070815155224.0Z
[7]     whenChanged: value = 20070815195813.0Z
[7]     displayName: value = cisco
[7]     uSNCreated: value = 16430
[7]     memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     uSNChanged: value = 20500
[7]     name: value = cisco
[7]     objectGUID: value = ..z...yC.q0.....
[7]     userAccountControl: value = 66048
[7]     badPwdCount: value = 1
[7]     codePage: value = 0
[7]     countryCode: value = 0
[7]     badPasswordTime: value = 128321799570937500
[7]     lastLogoff: value = 0
[7]     lastLogon: value = 128321798130468750
[7]     pwdLastSet: value = 128316667442656250
[7]     primaryGroupID: value = 513
[7]     objectSid: value = ............Q..p..*.p?E.Z...
[7]     accountExpires: value = 9223372036854775807
[7]     logonCount: value = 0
[7]     sAMAccountName: value = cisco
[7]     sAMAccountType: value = 805306368
[7]     userPrincipalName: value = cisco@ftwsecurity.cisco.com
[7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,
           DC=ftwsecurity,DC=cisco,DC=com
[7]     dSCorePropagationData: value = 20070815195237.0Z
[7]     dSCorePropagationData: value = 20070815195237.0Z
[7]     dSCorePropagationData: value = 20070815195237.0Z
[7]     dSCorePropagationData: value = 16010108151056.0Z
[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1
[7] Session End

This debug shows an authentication that fails due to an incorrect password:

ciscoasa#debug ldap 255[8] Session Start
[8] New request Session, context 0xd4b11730, reqType = 1
[8] Fiber started
[8] Creating LDAP context with uri=ldap://192.168.1.2:389
[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[8] supportedLDAPVersion: value = 3
[8] supportedLDAPVersion: value = 2
[8] supportedSASLMechanisms: value = GSSAPI
[8] supportedSASLMechanisms: value = GSS-SPNEGO
[8] supportedSASLMechanisms: value = EXTERNAL
[8] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server as admin to search for cisco.[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=kate]
        Scope   = [SUBTREE]
[8] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2
[8] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Read bad password count 1

!--- The ASA attempts to bind as cisco, but the password is incorrect.[8] Binding as user
[8] Performing Simple authentication for kate to 192.168.1.2
[8] Simple authentication for cisco returned code (49) Invalid credentials[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] Reading bad password count for cisco, dn: CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Received badPwdCount=1 for user cisco
[8] badPwdCount=1 before, badPwdCount=1 after for cisco
[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT,
       delta=1122041, maxage=3710851 secs
[8] Invalid password for cisco
[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=-1
[8] Session End

This debug shows an authentication that fails because the user can not be found on the LDAP server 

ciscoasa#debug ldap 255[9] Session Start
[9] New request Session, context 0xd4b11730, reqType = 1
[9] Fiber started
[9] Creating LDAP context with uri=ldap://192.168.1.2:389
[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[9] supportedLDAPVersion: value = 3
[9] supportedLDAPVersion: value = 2
[9] supportedSASLMechanisms: value = GSSAPI
[9] supportedSASLMechanisms: value = GSS-SPNEGO
[9] supportedSASLMechanisms: value = EXTERNAL
[9] supportedSASLMechanisms: value = DIGEST-MD5

!--- The user Minakshi is not found.[9] Binding as administrator
[9] Performing Simple authentication for admin to 192.168.1.2
[9] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=minakshi]
        Scope   = [SUBTREE]
[9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=-1
[9] Session End

The debugs show this error message when the connectivity between the ASA and the LDAP authentication server does not work:

ciscoasa# debug webvpn 255
INFO: debug webvpn  enabled at level 255.
ciscoasa# webvpn_portal.c:ewaFormSubmit_webvpn_login[2162]
ewaFormSubmit_webvpn_login: tgCookie = NULL
ewaFormSubmit_webvpn_login: cookie = 1
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
....not resuming [2587]
webvpn_portal.c:http_webvpn_kill_cookie[787]
webvpn_auth.c:http_webvpn_pre_authentication[2327]
WebVPN: calling AAA with ewsContext (-847917520) and nh (-851696992)!
webvpn_auth.c:webvpn_add_auth_handle[5118]
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5158]
WebVPN: AAA status = (ERROR)
webvpn_portal.c:ewaFormSubmit_webvpn_login[2162]
ewaFormSubmit_webvpn_login: tgCookie = NULL
ewaFormSubmit_webvpn_login: cookie = 1
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
....resuming [2564]
webvpn_auth.c:http_webvpn_post_authentication[1506]
WebVPN: user: (utrcd01) auth error.

More Information

Cisco ASA 5500-X Series Next-Generation Firewalls - ASA 8.0: Configure LDAP Authentication for WebVPN Users