Cisco ASA LDAP authentication with openldap and groups

mattkl3com · ‎10-06-2010

I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server. My OpenLDAP version:

@(#) $OpenLDAP: slapd 2.4.9 (Sep  9 2009 11:22:34) $

I have an LDAP group that I want to use to restrict access for the VPN connections.

ldap-server:~> ldapsearch -x cn=vpn member
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=vpn
# requesting: member
#
# vpn, Group, example.com
dn: cn=vpn,ou=Group,dc=example,dc=com
member: uid=vpnuser,ou=people,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Authenticate with a user's LDAP username and password is working fine.

I've hit Google pretty hard but can't seem to find a simple answer. It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.

Any help is much appreciated. Thanks!

Yudong Wu · ‎10-07-2010

Here is a good example for you.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

"debug ldap 255" is very helpful to troubleshoot it.

mattkl3com · ‎10-20-2010

This page is inaccessible to me.

Yudong Wu · ‎10-20-2010

PDF attached

giovannitorres · ‎11-03-2011

The solution proposed by Carl Davis worked for me pretty well! I had LDAP authentication working, but I wanted to allow only users in the "vpn" group to login. I set up two LDAP entries, one for authentication and a second one for authorization.

Thanks!

halfpast3 · ‎05-23-2011

Greetings, not to bring up a post from the WAAAYY back, but this post kept cropping up when I was trying to do the same thing. I seem to have been able to get it to work. I wanted to respond to this in case others find the post and it can help them. This is for ASA version 8.2(2)12

Essentially, what I did was add a secondary Authorization group that only authorizes the user. I believe these are the relevant sections:

[This authenticates the user against the Mac OS LDAP server]

aaa-server xServe protocol ldap

aaa-server xServe (inside) host IRxServeIntel

ldap-base-dn cn=users,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute uid

server-type openldap

[This authorizes the user against a group, in my case VPN]

aaa-server xServeGroup protocol ldap

aaa-server xServeGroup (inside) host IRxServeIntel

ldap-base-dn cn=vpn,cn=groups,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute memberUid

server-type openldap

Further down for the tunnel group I have this:

tunnel-group SSL-VPN general-attributes

address-pool SSL-VPN

authentication-server-group xServe

authorization-server-group xServeGroup

default-group-policy SSL-VPN

authorization-required

username-from-certificate use-entire-name

I hope that makes sense to what I did and if it does that it helps others that might be in the same situation.

mattkl3com · ‎05-23-2011

I'll have to check this out at some point. I ended up using a RADIUS server.

aaa-server FreeRadius protocol radius
aaa-server FreeRadius (inside) host 192.168.1.20
key *****
authentication-port 1812

tunnel-group VPN general-attributes
address-pool VPN_POOL
authentication-server-group FreeRadius
default-group-policy VPN
authorization-required

Radius configuration:

modules/ldap

server = "ldap.your.domain"
...

basedn = "dc=example,dc=com"

...
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}(cn=vpn)))"
groupmembership_attribute = radiusGroupName

sites-available/default

# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap

...

# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

Auth-Type LDAP {
ldap
}