Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
3
Replies

Confusion regarding how to implement DAP

Go to solution
snyggsomfan
Level 1
Level 1

‎10-22-2011 03:41 AM

Hi everybody,

Today we have a simple ASA-5520 SVC setup with just one connection profile and one group policy. Authentication (2 factor – AD + SMS) is performed by RADIUS. We would now like allow access to this VPN service only if you reside in a particular group in the MS AD. From what I understand this can be accomplished through DAP. Either by matching the LDAP attribute “memberOf” or RADIUS id 146. I’m I right? Can I still perform authentication using RADIUS and then DAP using LDAP or must I use DAP using RADIUS?

/K

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-24-2011 04:27 AM

Hi Patrik,

DAP does not contact any AAA server to get user attributes, instead it uses the attributes received during the regulare authentication and authorization stages.

So in your case you have 3 options:

- use only radius attributes in your DAP policy (but whether or not you can use attribute 146 depends on whether your radius server sends this attribute, check "debug radius")

- replace radius authentication with LDAP authentication; I guess you can't do that because you need radius for the SMS stuff.

- keep radius authentication and add LDAP authorization; i.e. after a successful radius authentication, the ASA will then query the LDAP server for user attributes.

hth

Herbert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-24-2011 04:27 AM

Hi Patrik,

DAP does not contact any AAA server to get user attributes, instead it uses the attributes received during the regulare authentication and authorization stages.

So in your case you have 3 options:

- use only radius attributes in your DAP policy (but whether or not you can use attribute 146 depends on whether your radius server sends this attribute, check "debug radius")

- replace radius authentication with LDAP authentication; I guess you can't do that because you need radius for the SMS stuff.

- keep radius authentication and add LDAP authorization; i.e. after a successful radius authentication, the ASA will then query the LDAP server for user attributes.

hth

Herbert

0 Helpful

Go to solution
snyggsomfan
Level 1
Level 1
In response to Herbert Baerten

‎10-25-2011 12:03 PM

OK, thanks Herbert!

One final question regarding the third option - "keep radius authentication and add LDAP authorization". Do you mean the authorization option in the tunnel-group?

/Patrik

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to snyggsomfan

‎10-25-2011 01:27 PM 

One final question regarding the third option - "keep radius authentication and add LDAP authorization". Do you mean the authorization option in the tunnel-group?

Yes that's correct.

e.g.

aaa-server ldap protocol myldap
aaa-server ldap host 10.x.x.x
 ldap-base-dn cn=users,dc=MYDOMAIN,dc=COM
 ldap-scope onelevel
 ldap-login-password *
 ldap-login-dn ldapadmin
 server-type microsoft
  ...
tunnel-group myTG general-attributes
 authentication-server-group myradius
 authorization-server-group myldap

cheers

Herbert

0 Helpful
Customers Also Viewed These Support Documents