cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1682
Views
0
Helpful
5
Replies
klaus.hacke
Beginner

ANyConnect Client Certificate Authentication and verify Client against Microsoft AD domain membership using DAP via LDAP

Hello,

as described in the Titel a want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.

The clients using Maschine Certificate to authenticate to ASA. This works fine.

Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host ldap.com
ldap-base-dn DC=x,DC=x,DC=x,DC=com
ldap-scope subtree
ldap-login-password *****
ldap-login-dn *****
server-type microsoft

I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

Any idee where the problem is located?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Herbert Baerten
Cisco Employee

Hi Klaus,

DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.

So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.

Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.

hth

Herbert

View solution in original post

5 REPLIES 5
Herbert Baerten
Cisco Employee

Hi Klaus,

DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.

So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.

Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.

hth

Herbert

Hi Herbert,

thanks a lot. It works now.

Regards

Klaus

Hello again,

the Client now authenticate via certificate and authorizate against AD(LDAP) via username taken from certificate.

As I can see in the logs, the Clients PC name is shown as a Session Attribute:

endpoint.device.hostname="PC_name"

My question, is it possible to verify the PC_name instead of the username against the AD and if it is so, how?

Thanks

Klaus

 

Hi

I'm still struggling - after setting up LDAP authorization - what do I choose in DAP?

Create
Recognize Your Peers
Content for Community-Ad