02-07-2011 01:05 AM
Hi, I've the following scenario:
Microsoft domain father.local
Account: account.asa (member of Account Operators of father.local)
Account: account.vpn1 (member of group GRP-ACCESSTO-1)
Account: account.vpn2 (member of group GRP-ACCESSTO-3)
Account: account.vpn3 (member of group GRP-ACCESSTO-ALL)
Group: GRP-ACCESSTO-ALL (member of GRP-ACCESSTO-1 and GRP-ACCESSTO-3)
Microsoft domain child.father.local
Account: account.asa (member of Account Operators of child.father.local)
Account: account.vpn4 (member of group GRP-ACCESSTO-1 of parent domain father.local)
Asa configuration:
aaa server group LDAP-FATHER that points to a domain controller of microsoft domain father.local
aaa server group LDAP-CHILD that points to a domain controller of microsoft domain child.father.local
The problems I'm experiencing are with Dynamic access policies:
First Problem: When I configure the IPSec Tunnel I can correctly authenticate account.vpn4 on the ipsec-tunnell using AAA server group LDAP-CHILD, but when the authentication is completed the ASA performs an authorization session and does not receive the membership of account.vpn4 to the group GRP-ACCESSTO-1 of father domain father.local. The result is that a dynamic access policy that matches membership to LDAP group GRP-ACCESSTO-1 is not applied.
Second Problem: When I configure the IPSec Tunnel I can correctly authenticate account.vpn3 on the ipsec-tunnell using AAA server group LDAP-FATHER, but when the authentication is completed the ASA performs an authorization session and does not receive membership of account.vpn3 to the groups GRP-ACCESSTO-1 and GRP-ACCESSTO-3 of domain father.local. The result is that the dynamic access policies that match membership to LDAP groups GRP-ACCESSTO-1 and GRP-ACCESSTO-3 are not applied.
Is this a regular behaviour or did I make some mistakes?
Thanks in advance and best regards.
02-08-2011 12:12 AM
Hi Giuseppe,
for problem 1: you can check with "debug ldap 255" and "debug dap trace" what attributes the ASA receives from AD. If you don't get the memberOf attribute, I personally have no clue why that could be, sorry. Unless someone else reading this knows, I would suggest seeking help on a Microsoft forum. Just thinking out loud now: perhaps using GCS (global catalog server) might help.
for problem 2: I believe this is normal. user vpn3 is not a member of GRP-ACCESSTO-1 and GRP-ACCESSTO-3. The fact that GRP-ACCESSTO-ALL is a member does not automatically make its members also member of the parent groups.
There is an enhancement request for the ASA software to do recursive lookups:
CSCso24147 Recursive LDAP searches for AD Nested-Groups,Sun isMemberOf,OpenLdapGIDs
but this has not been implemented yet and I have no ETA for it.
hth
Herbert
02-08-2011 12:51 AM
Dear Herbert Baerten, thanks a lot for your answer.
First Problem: debugging ldap shows me that when the user authenticates on the ASA gets member.of attributes only for the domain of the user. If the user is member of a group of another domain he does not receive member.of attributes of the parent domain. I can't understand if this is a limitation or a bug....
Second Problem: I did not know that there is an open enhancement request, anyway this is a good news!
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide