Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
131
Views
0
Helpful
0
Comments

Remote Access VPN authentication with LDAP SERVER

minkumar
Level 1
Level 1

‎05-03-2013 12:30 PM - edited ‎02-21-2020 09:59 PM

<body><h2> </h2>

<p> </p>

<div>

<h1><span style="font-family: arial black,avant garde;"><span style="color: #333399; font-size: 14pt;">Introduction</span><br /></span></h1>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p><span style="color: #333333; font-family: arial black,avant garde; font-size: 12pt;">This document provides an example on how to configure Remote Access VPN on ASA and do the authentication using LDAP server<br /></span></p>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p><span style="font-family: arial black,avant garde;"><a name="anc1"></a></span></p>

<h1><span style="color: #333399; font-size: 14pt; font-family: arial black,avant garde;">Prerequisites</span></h1>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<span style="color: #333333; font-size: 12pt; font-family: arial black,avant garde;">ASA and LDAP server both should be reachable.</span><br />

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p><span style="font-family: arial black,avant garde;"><strong style="font-size: 10pt;"> </strong></span></p>

<h1><span style="color: #333399; font-size: 14pt; font-family: arial black,avant garde;">Components Used</span></h1>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p><span style="color: #333333; font-family: arial black,avant garde; font-size: 12pt;">1. ASA 8.2<br /></span></p>

<p><span style="color: #808080; font-family: arial black,avant garde; font-size: 12pt;"><span style="color: #333333;">2. LDAP (Microsoft)</span><br /></span></p>

<p><span style="color: #808080; font-family: arial black,avant garde; font-size: 12pt;"> </span></p>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p><span style="font-family: arial black,avant garde;"><a name="anc3"></a></span></p>

<h1><span style="font-family: arial black,avant garde; font-size: 14pt;"><span style="color: #333399;">Configuration Remote Access VPN on ASA:</span><br /></span></h1>

<p><span style="font-family: arial black,avant garde; font-size: 14pt;"> </span></p>

<p><span style="font-family: arial black,avant garde; font-size: 14pt;"> </span></p>

<p><span style="color: #333399; font-size: 14pt; font-family: arial black,avant garde;">interface configuration:</span></p>

<p> </p>

</div>

<p> </p>

<p> </p>

<p> </p>

<div>

<div>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> interface ethernet0</span><br />hostname(config-if)#<span style="font-family: arial black,avant garde;"> ip address 10.10.4.200 255.255.0.0</span><br />hostname(config-if)#<span style="font-family: arial black,avant garde;"> nameif outside

</span>hostname(config)#<span style="font-family: arial black,avant garde;"> no shutdown

</span></pre>

</div>

</div>

<p> </p>

<p> <span style="font-family: arial black,avant garde;"> </span></p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface:</span></h2>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<div>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> isakmp policy 1 authentication pre-share</span><br />hostname(config)# isakmp policy 1 encryption 3des<br />hostname(config)# isakmp policy 1 hash sha <br />hostname(config)# isakmp policy 1 group 2<br />hostname(config)#<span style="font-family: arial black,avant garde;"> isakmp policy 1 lifetime 43200</span><br />hostname(config)#<span style="font-family: arial black,avant garde;"> isakmp enable outside

</span></pre>

</div>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Configuring an Address Pool:</span></h2>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> ip local pool testpool 192.168.0.10-192.168.0.15</span></pre>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Adding a User:</span></h2>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> username testuser password 12345678</span></pre>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Creating a Transform Set:</span></h2>

<p> </p>

<p> </p>

<p> </p>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac</span></pre>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Creating a Tunnel group:</span></h2>

<p> </p>

<p> </p>

<p> </p>

<p> </p>

<p> </p>

<div>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> tunnel-group testgroup type ipsec-ra</span><br />hostname(config)#<span style="font-family: arial black,avant garde;"> tunnel-group testgroup general-attributes

</span>hostname(config-general)#<span style="font-family: arial black,avant garde;"> address-pool testpool

</span>hostname(config)#<span style="font-family: arial black,avant garde;"> tunnel-group testgroup ipsec-attributes

</span>hostname(config<span style="font-family: arial black,avant garde;">-</span>ipsec)#<span style="font-family: arial black,avant garde;"> pre-shared-key 44kkaol59636jnfx

</span></pre>

</div>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Creating a Dynamic crypto map:</span></h2>

<p> </p>

<p> </p>

<p> </p>

<div>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> crypto dynamic-map dyn1 1 set transform-set FirstSet</span><br />hostname(config)#<span style="font-family: arial black,avant garde;"> crypto dynamic-map dyn1 1 set reverse-route

</span></pre>

</div>

<p> </p>

<p> </p>

<p> </p>

<p> </p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Creating a Crypto Map Entry to Use the Dynamic Crypto Map:</span></h2>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<div>

<pre>hostname(config)#<span style="font-family: arial black,avant garde;"> crypto map mymap 1 ipsec-isakmp dynamic dyn1</span><br /><span style="font-family: arial black,avant garde;">h</span>ostname(config)#<span style="font-family: arial black,avant garde;"> crypto map mymap interface outside

</span></pre>

</div>

<p> </p>

<p> </p>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Configuring LDAP server on the ASA:</span></h2>

<p> </p>

<p> </p>

<p> </p>

<pre>ciscoasa(config-aaa-server-group)#aaa-server LDAP (inside) host 192.168.1.2

ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com

ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com

ciscoasa(config-aaa-server-host)#ldap-login-password **********

ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName

ciscoasa(config-aaa-server-host)#ldap-scope subtree

ciscoasa(config-aaa-server-host)#server-type microsoft

ciscoasa(config-aaa-server-host)#exit</pre>

<p> </p>

<h2><span style="color: #333399; font-family: arial black,avant garde;">Assigning LDAP server under tunnel group</span></h2>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<pre>ciscoasa(config)#tunnel-group testgroup general-attributes

ciscoasa(config-tunnel-general)#authentication-server-group LDAP</pre>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde;"> </span></p>

<p> </p>

<p> <span style="font-family: arial black,avant garde;">  </span></p>

<p> </p>

<p> </p>

<p><span style="font-family: arial black,avant garde;"> </span></p>

<p> </p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde; font-size: 14pt;"><strong>Verifcation</strong></span></p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde; font-size: 14pt;"><strong> </strong></span></p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde; font-size: 14pt;"><strong>Test with CLI:<br /></strong></span></p>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde; font-size: 12pt;"><strong> </strong></span></p>

<p> </p>

<p><span style="font-family: arial black,avant garde;"><span style="font-size: 12pt;">You can use the <strong>test</strong> command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the comman</span><span style="font-size: 12pt;"><a name="clitest"></a></span><span style="font-size: 12pt;">d line.</span></span></p>

<p> </p>

<blockquote>

<pre>ciscoasa#<strong style="font-size: 12pt; font-family: arial black,avant garde;">test aaa-server authentication LDAP host 192.168.1.2

   username cisco password cisco123</strong>INFO: Attempting Authentication test to IP address &lt;192.168.1.2&gt;

   (timeout: 12 seconds)

INFO: Authentication Successful</pre>

</blockquote>

<p> </p>

<p><span style="color: #333399; font-family: arial black,avant garde; font-size: 14pt;"><strong> </strong></span></p>

<p> </p>

<h2><span style="font-family: arial black,avant garde; font-size: 14pt;"><a name="tshoot"></a><span style="color: #333399;">Troubleshoot:</span></span></h2>

<p> </p>

<h2><span style="font-family: arial black,avant garde; font-size: 12pt;"><a name="tshoot"></a></span></h2>

<p> </p>

<p> </p>

<p> </p>

<p><span style="font-family: arial black,avant garde; font-size: 12pt;">If unsure of the current DN string to use, you can issue the <strong>dsquery</strong> command on a Windows Active Driectory server from a command prompt in  order to verify the appropriate DN String of a user object.</span></p>

<p> </p>

<blockquote>

<pre>C:\Documents and Settings\Administrator&gt;<strong style="font-size: 12pt; font-family: arial black,avant garde;">dsquery user -samid cisco</strong><em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- Queries Active Directory for samid id "cisco"

</em>"CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"</pre>

</blockquote>

<p> </p>

<p><span style="font-family: arial black,avant garde; font-size: 12pt;">The <strong>debug ldap 255</strong> command can help to troubleshoot authentication problems in this  scenario. This command enables LDAP debugging and allows you to watch  the process that the ASA uses to connect to the LDAP server. </span></p>

<p> </p>

<p> </p>

<p> </p>

<p><span style="font-family: arial black,avant garde; font-size: 12pt;">This debug shows a successful authentication:</span></p>

<p> </p>

<blockquote>

<pre>ciscoasa#<strong style="font-size: 12pt; font-family: arial black,avant garde;">debug ldap 255</strong>[7] Session Start

[7] New request Session, context 0xd4b11730, reqType = 1

[7] Fiber started

[7] Creating LDAP context with uri=ldap://192.168.1.2:389

[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful

[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com

[7] supportedLDAPVersion: value = 3

[7] supportedLDAPVersion: value = 2

[7] supportedSASLMechanisms: value = GSSAPI

[7] supportedSASLMechanisms: value = GSS-SPNEGO

[7] supportedSASLMechanisms: value = EXTERNAL

[7] supportedSASLMechanisms: value = DIGEST-MD5

<em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- The ASA connects to the LDAP server for admin bind and search for cisco.

</em><strong style="font-size: 12pt; font-family: arial black,avant garde;">[7] Binding as administrator

[7] Performing Simple authentication for admin to 192.168.1.2

[7] LDAP Search:

        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]

        Filter  = [sAMAccountName=cisco]

        Scope   = [SUBTREE]

[7] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com]

</strong>[7] Talking to Active Directory server 192.168.1.2

[7] Reading password policy for cisco, dn:CN=cisco,CN=Users,

       DC=ftwsecurity,DC=cisco,DC=com

<em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- The ASA binds to the LDAP server as cisco to test the password.

</em><strong style="font-size: 12pt; font-family: arial black,avant garde;">[7] Binding as user

[7] Performing Simple authentication for kate to 192.168.1.2

[7] Checking password policy for user cisco

[7] Binding as administrator

[7] Performing Simple authentication for admin to 192.168.1.2

[7] Authentication successful for kate to 192.168.1.2

[7] Retrieving user attributes from server 192.168.1.2</strong>[7] Retrieved Attributes:

[7]     objectClass: value = top

[7]     objectClass: value = person

[7]     objectClass: value = organizationalPerson

[7]     objectClass: value = user

[7]     cn: value = cisco

[7]     givenName: value = cisco

[7]     distinguishedName: value = CN=cisco,CN=Users,DC=ftwsecurity,

           DC=cisco,DC=com

[7]     instanceType: value = 4

[7]     whenCreated: value = 20070815155224.0Z

[7]     whenChanged: value = 20070815195813.0Z

[7]     displayName: value = cisco

[7]     uSNCreated: value = 16430

[7]     memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com

[7]     memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com

[7]     uSNChanged: value = 20500

[7]     name: value = cisco

[7]     objectGUID: value = ..z...yC.q0.....

[7]     userAccountControl: value = 66048

[7]     badPwdCount: value = 1

[7]     codePage: value = 0

[7]     countryCode: value = 0

[7]     badPasswordTime: value = 128321799570937500

[7]     lastLogoff: value = 0

[7]     lastLogon: value = 128321798130468750

[7]     pwdLastSet: value = 128316667442656250

[7]     primaryGroupID: value = 513

[7]     objectSid: value = ............Q..p..*.p?E.Z...

[7]     accountExpires: value = 9223372036854775807

[7]     logonCount: value = 0

[7]     sAMAccountName: value = cisco

[7]     sAMAccountType: value = 805306368

[7]     userPrincipalName: value = cisco@ftwsecurity.cisco.com

[7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,

           DC=ftwsecurity,DC=cisco,DC=com

[7]     dSCorePropagationData&amp;colon; value = 20070815195237.0Z

[7]     dSCorePropagationData&amp;colon; value = 20070815195237.0Z

[7]     dSCorePropagationData&amp;colon; value = 20070815195237.0Z

[7]     dSCorePropagationData&amp;colon; value = 16010108151056.0Z

[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1

[7] Session End</pre>

</blockquote>

<p> </p>

<p><span style="font-family: arial black,avant garde; font-size: 12pt;">This debug shows an authentication that fails due to an incorrect password:</span></p>

<p> </p>

<blockquote>

<pre>ciscoasa#<strong style="font-size: 12pt; font-family: arial black,avant garde;">debug ldap 255</strong>[8] Session Start

[8] New request Session, context 0xd4b11730, reqType = 1

[8] Fiber started

[8] Creating LDAP context with uri=ldap://192.168.1.2:389

[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful

[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com

[8] supportedLDAPVersion: value = 3

[8] supportedLDAPVersion: value = 2

[8] supportedSASLMechanisms: value = GSSAPI

[8] supportedSASLMechanisms: value = GSS-SPNEGO

[8] supportedSASLMechanisms: value = EXTERNAL

[8] supportedSASLMechanisms: value = DIGEST-MD5

<em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- The ASA connects to the LDAP server as admin to search for cisco.

</em><strong style="font-size: 12pt; font-family: arial black,avant garde;">[8] Binding as administrator

[8] Performing Simple authentication for admin to 192.168.1.2

[8] LDAP Search:

        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]

        Filter  = [sAMAccountName=kate]

        Scope   = [SUBTREE]

[8] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com]</strong>[8] Talking to Active Directory server 192.168.1.2

[8] Reading password policy for cisco, dn:CN=cisco,CN=Users,

       DC=ftwsecurity,DC=cisco,DC=com

[8] Read bad password count 1

<em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- The ASA attempts to bind as cisco, but the password is incorrect.

</em><strong style="font-size: 12pt; font-family: arial black,avant garde;">[8] Binding as user

[8] Performing Simple authentication for kate to 192.168.1.2

[8] Simple authentication for cisco returned code (49) Invalid credentials</strong>[8] Binding as administrator

[8] Performing Simple authentication for admin to 192.168.1.2

[8] Reading bad password count for cisco, dn: CN=cisco,CN=Users,

       DC=ftwsecurity,DC=cisco,DC=com

[8] Received badPwdCount=1 for user cisco

[8] badPwdCount=1 before, badPwdCount=1 after for cisco

[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT,

       delta=1122041, maxage=3710851 secs

[8] Invalid password for cisco

[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=-1

[8] Session End</pre>

</blockquote>

<p> </p>

<p><span style="font-family: arial black,avant garde; font-size: 12pt;">This debug shows an authentication that fails because the user can not be found on the LDAP server:</span></p>

<p> </p>

<blockquote>

<pre>ciscoasa#<strong style="font-size: 12pt; font-family: arial black,avant garde;">debug ldap 255</strong>[9] Session Start

[9] New request Session, context 0xd4b11730, reqType = 1

[9] Fiber started

[9] Creating LDAP context with uri=ldap://192.168.1.2:389

[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful

[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com

[9] supportedLDAPVersion: value = 3

[9] supportedLDAPVersion: value = 2

[9] supportedSASLMechanisms: value = GSSAPI

[9] supportedSASLMechanisms: value = GSS-SPNEGO

[9] supportedSASLMechanisms: value = EXTERNAL

[9] supportedSASLMechanisms: value = DIGEST-MD5

<em style="color: #0000ff; font-size: 12pt; font-family: arial black,avant garde;">!--- The user Minakshi is not found.

</em><strong style="font-size: 12pt; font-family: arial black,avant garde;">[9] Binding as administrator

[9] Performing Simple authentication for admin to 192.168.1.2

[9] LDAP Search:

        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]

        Filter  = [sAMAccountName=minakshi]

        Scope   = [SUBTREE]

[9] Requested attributes not found</strong>[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=-1

[9] Session End<br /><br /><br /><br /><strong>Please post comments if there are any queries and rate if useful.</strong><br /></pre>

</blockquote>

<p> </p>

<p> </p>

<p><span style="color: #333333; font-family: arial black,avant garde;"><strong> </strong></span></p></body>

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents