Hello,
as described in the Titel a want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.
The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:
aaa-server LDAP protocol ldap |
aaa-server LDAP (inside) host ldap.com |
ldap-base-dn DC=x,DC=x,DC=x,DC=com |
ldap-scope subtree |
ldap-login-password ***** |
ldap-login-dn ***** |
server-type microsoft |
I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
Any idee where the problem is located?
Thanks in advance
Solved! Go to Solution.
Hi Klaus,
DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.
So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.
Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.
hth
Herbert
Hi Klaus,
DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.
So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.
Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.
hth
Herbert
Hi Herbert,
thanks a lot. It works now.
Regards
Klaus
Hello again,
the Client now authenticate via certificate and authorizate against AD(LDAP) via username taken from certificate.
As I can see in the logs, the Clients PC name is shown as a Session Attribute:
endpoint.device.hostname="PC_name"
My question, is it possible to verify the PC_name instead of the username against the AD and if it is so, how?
Thanks
Klaus
Hi
I'm still struggling - after setting up LDAP authorization - what do I choose in DAP?