Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7390
Views
0
Helpful
4
Replies

ASA5510 LDAP Authentication across W2K3 AD domains

Go to solution
bakerb
Level 1
Level 1

‎12-09-2010 07:38 AM

Does the LDAP authentication work across W2K3  Active Directory domains and multiple ASA5510 firewalls? Or do I need to setup another type of authentication? If I use another type of authentication can I get specific portals with special bookmarks based on login account?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee
In response to blarragu

‎12-09-2010 11:23 AM

The ASA can via the LDAP protocol perform multi-domain searches by using Active Directory Global Catalog Server(AD-GCS) in a single AD forest.

For more information on Global Catlog Server capabilities and configuration, please consult the Microsoft documentation.

AD-GCS uses a special port 3268 for unsecure operations and port 3269 for secure (LDAP-S) operations.

ASA CLI configuration:

With CLI configure an AAA server for AD-GCS on the ASA/PIX platform.


ASA# show run aaa-server GC

aaa-server GC protocol ldap

aaa-server GC host 10.10.1.1

server-port 3268

ldap-base-dn DC=mydomain,DC=com

ldap-scope subtree

ldap-naming-attribute userPrincipalName

ldap-login-password *

ldap-login-dn CN=ldap-reader,OU=Employees,DC=mydomain,DC=com

server-type microsoft

Note1:The customer must have an attribute that is unique and simple within AD so that it can be used for the LDAP searches. Usually UserPrincipalName or sAMAccountName are unique attributes that can be used.

In this example, based on the naming-attribute=userPrincipalName, then the VPN user would login with username=username@mydomain.com .

Note2:In Global Catalog mode, not all LDAP attributes are returned (for example: memberOf) to allow the ASA to make policy decisions say via Dynamic Access Policies https://supportforums.cisco.com/docs/DOC-1369 .

View solution in original post

0 Helpful
4 Replies 4

Go to solution
blarragu
Level 1
Level 1

‎12-09-2010 08:13 AM

Hello,

The use of LDAP in this scenario will depend on whether or not this is a single-forest or multi-forest Windows domain infrastructure.  The ASA, as of ASA 8.2, supports both single domain and single  forest with multi-domain level searches when using a Global Catalog  Active Directory  server infrastructure.  Multi-forest level searches, each with multi-domains, is not yet  supported.  (Feauture Enhancement: CSCsr16298)

You could also use RADIUS to enforce specific user attributes.   An ACS server or simply using IAS would be able to achieve the objective of enforcing a bookmark list to a specific group of users.  The following document details how to use RADIUS to enforce group policy on ASA with the use of a Windows 2003 IAS server:

http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html

Thanks!
Brian

0 Helpful

Go to solution
bakerb
Level 1
Level 1
In response to blarragu

‎12-09-2010 08:37 AM

Hello Brian -

The Windows structure is a Single forest with multiple domains. I am successfully able to get the LDAP server group to work for the single domain (several different site OUs) where the ASA is located, but cannot get the LDAP server group to authenticate the users from the other 2 domains (remote). So your answer tells me it should work and that is excellent news. I will contact the TAC support for help with troubleshooting.

Thanks,

Bob

0 Helpful

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee
In response to blarragu

‎12-09-2010 11:23 AM

The ASA can via the LDAP protocol perform multi-domain searches by using Active Directory Global Catalog Server(AD-GCS) in a single AD forest.

For more information on Global Catlog Server capabilities and configuration, please consult the Microsoft documentation.

AD-GCS uses a special port 3268 for unsecure operations and port 3269 for secure (LDAP-S) operations.

ASA CLI configuration:

With CLI configure an AAA server for AD-GCS on the ASA/PIX platform.


ASA# show run aaa-server GC

aaa-server GC protocol ldap

aaa-server GC host 10.10.1.1

server-port 3268

ldap-base-dn DC=mydomain,DC=com

ldap-scope subtree

ldap-naming-attribute userPrincipalName

ldap-login-password *

ldap-login-dn CN=ldap-reader,OU=Employees,DC=mydomain,DC=com

server-type microsoft

Note1:The customer must have an attribute that is unique and simple within AD so that it can be used for the LDAP searches. Usually UserPrincipalName or sAMAccountName are unique attributes that can be used.

In this example, based on the naming-attribute=userPrincipalName, then the VPN user would login with username=username@mydomain.com .

Note2:In Global Catalog mode, not all LDAP attributes are returned (for example: memberOf) to allow the ASA to make policy decisions say via Dynamic Access Policies https://supportforums.cisco.com/docs/DOC-1369 .

0 Helpful

Go to solution
Tony Davis
Level 1
Level 1
In response to Nelson Rodrigues

‎09-03-2011 03:19 PM

Nelson,

Why doesn't the ASA return all LDAP attributes when global catalog mode is used?  I really need this to function correctly.  I have two child domains that need to be searched and have the memberOf groups returned so the correct DAP gets applied.  Is there any work around to this?

Thanks In Advance,

Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents