cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10260
Views
5
Helpful
6
Replies

Cisco ASA LDAP authentication with openldap and groups

mattkl3com
Beginner
Beginner

I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server.  My OpenLDAP version:

@(#) $OpenLDAP: slapd 2.4.9 (Sep  9 2009 11:22:34) $

I have an LDAP group that I want to use to restrict access for the VPN connections.

ldap-server:~> ldapsearch -x cn=vpn member
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=vpn
# requesting: member
#

# vpn, Group, example.com
dn: cn=vpn,ou=Group,dc=example,dc=com
member: uid=vpnuser,ou=people,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Authenticate with a user's LDAP username and password is working fine.

I've hit Google pretty hard but can't seem to find a simple answer.  It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.

Any help is much appreciated.  Thanks!

6 Replies 6

Yudong Wu
Rising star
Rising star

Here is a good example for you.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

"debug ldap 255" is very helpful to troubleshoot it.

This page is inaccessible to me.

PDF attached

The solution proposed by Carl Davis worked for me pretty well! I had LDAP authentication working, but I wanted to allow only users in the "vpn" group to login. I set up two LDAP entries, one for authentication and a second one for authorization.

Thanks!

halfpast3
Beginner
Beginner

Greetings, not to bring up a post from the WAAAYY back, but this post kept cropping up when I was trying to do the same thing.  I seem to have been able to get it to work.  I wanted to respond to this in case others find the post and it can help them.  This is for ASA version 8.2(2)12

Essentially, what I did was add a secondary Authorization group that only authorizes the user.  I believe these are the relevant sections:

[This authenticates the user against the Mac OS LDAP server]

aaa-server xServe protocol ldap

aaa-server xServe (inside) host IRxServeIntel

ldap-base-dn cn=users,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute uid

server-type openldap

[This authorizes the user against a group, in my case VPN]

aaa-server xServeGroup protocol ldap

aaa-server xServeGroup (inside) host IRxServeIntel

ldap-base-dn cn=vpn,cn=groups,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute memberUid

server-type openldap

Further down for the tunnel group I have this:
tunnel-group SSL-VPN general-attributes
address-pool SSL-VPN
authentication-server-group xServe
authorization-server-group xServeGroup
default-group-policy SSL-VPN
authorization-required
username-from-certificate use-entire-name
I hope that makes sense to what I did and if it does that it helps others that might be in the same situation.

I'll have to check this out at some point.  I ended up using a RADIUS server.

aaa-server FreeRadius protocol radius
aaa-server FreeRadius (inside) host 192.168.1.20
key *****
authentication-port 1812

tunnel-group VPN general-attributes
address-pool VPN_POOL
authentication-server-group FreeRadius
default-group-policy VPN
authorization-required

Radius configuration:

modules/ldap

server = "ldap.your.domain"
...

basedn = "dc=example,dc=com"

...
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}(cn=vpn)))"
groupmembership_attribute = radiusGroupName

sites-available/default

#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap

...

# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

Auth-Type LDAP {
        ldap
}

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: