Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
5
Replies

ANyConnect Client Certificate Authentication and verify Client against Microsoft AD domain membership using DAP via LDAP

Go to solution
klaus.hacke
Level 1
Level 1

‎07-14-2011 04:21 AM - edited ‎02-21-2020 05:27 PM

Hello,

as described in the Titel a want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.

The clients using Maschine Certificate to authenticate to ASA. This works fine.

Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host ldap.com
ldap-base-dn DC=x,DC=x,DC=x,DC=com
ldap-scope subtree
ldap-login-password *****
ldap-login-dn *****
server-type microsoft

I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

Any idee where the problem is located?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎07-14-2011 05:31 AM

Hi Klaus,

DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.

So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.

Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.

hth

Herbert

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎07-14-2011 05:31 AM

Hi Klaus,

DAP will not make any LDAP call itself, it will only act based on the LDAP attributes received via LDAP authentication or authorization.

So you will need to enable LDAP authorization in the tunnel-group(s) you connect to.

Once you have that, you can either use DAP or an LDAP attribute map to accept/deny access, see for an example of both methods.

hth

Herbert

0 Helpful

Go to solution
klaus.hacke
Level 1
Level 1
In response to Herbert Baerten

‎07-14-2011 11:56 PM

Hi Herbert,

thanks a lot. It works now.

Regards

Klaus

0 Helpful

Go to solution
klaus.hacke
Level 1
Level 1
In response to klaus.hacke

‎07-15-2011 12:08 AM

Hello again,

the Client now authenticate via certificate and authorizate against AD(LDAP) via username taken from certificate.

As I can see in the logs, the Clients PC name is shown as a Session Attribute:

endpoint.device.hostname="PC_name"

My question, is it possible to verify the PC_name instead of the username against the AD and if it is so, how?

Thanks

Klaus

0 Helpful

Go to solution
BartlomiejSmajdor90415
Level 1
Level 1
In response to Herbert Baerten

‎07-23-2020 02:08 PM

Hi

I'm still struggling - after setting up LDAP authorization - what do I choose in DAP?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents