Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
2
Replies

Problem with Dynamic Access Policies

GIUSEPPE.ROBBIATI
Level 1
Level 1

‎02-07-2011 01:05 AM

Hi, I've the following scenario:

Microsoft domain father.local
Account: account.asa (member of Account Operators of father.local)
Account: account.vpn1 (member of group GRP-ACCESSTO-1)
Account: account.vpn2 (member of group GRP-ACCESSTO-3)
Account: account.vpn3 (member of group GRP-ACCESSTO-ALL)
Group: GRP-ACCESSTO-ALL (member of GRP-ACCESSTO-1 and GRP-ACCESSTO-3)

Microsoft domain child.father.local
Account: account.asa (member of Account Operators of child.father.local)
Account: account.vpn4 (member of group GRP-ACCESSTO-1 of parent domain father.local)

Asa configuration:
aaa server group LDAP-FATHER that points to a domain controller of microsoft domain father.local
aaa server group LDAP-CHILD that points to a domain controller of microsoft domain child.father.local

The problems I'm experiencing are with Dynamic access policies:
First Problem: When I configure the IPSec Tunnel I can correctly authenticate account.vpn4 on the ipsec-tunnell using AAA server group LDAP-CHILD, but when the authentication is completed the ASA performs an authorization session and does not receive the membership of account.vpn4 to the group GRP-ACCESSTO-1 of father domain father.local. The result is that a dynamic access policy that matches membership to LDAP group GRP-ACCESSTO-1 is not applied.
Second Problem: When I configure the IPSec Tunnel I can correctly authenticate account.vpn3 on the ipsec-tunnell using AAA server group LDAP-FATHER, but when the authentication is completed the ASA performs an authorization session and does not receive membership of account.vpn3 to the groups GRP-ACCESSTO-1 and GRP-ACCESSTO-3 of domain father.local. The result is that the dynamic access policies that match membership to LDAP groups GRP-ACCESSTO-1 and GRP-ACCESSTO-3 are not applied.

Is this a regular behaviour or did I make some mistakes?

Thanks in advance and best regards.

Labels:
0 Helpful
2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

‎02-08-2011 12:12 AM

Hi Giuseppe,

for problem 1: you can check with "debug ldap 255" and "debug dap trace" what attributes the ASA receives from AD. If you don't get the memberOf attribute, I personally have no clue why that could be, sorry. Unless someone else reading this knows, I would suggest seeking help on a Microsoft forum. Just thinking out loud now: perhaps using GCS (global catalog server) might help.

for problem 2: I believe this is normal. user vpn3 is not a member of GRP-ACCESSTO-1 and GRP-ACCESSTO-3. The fact that GRP-ACCESSTO-ALL is a member does not automatically make its members also member of the parent groups.


There is an enhancement request for the ASA software to do recursive lookups:

CSCso24147    Recursive LDAP searches for AD Nested-Groups,Sun isMemberOf,OpenLdapGIDs

but this has not been implemented yet and I have no ETA for it.

hth

Herbert

0 Helpful

GIUSEPPE.ROBBIATI
Level 1
Level 1
In response to Herbert Baerten

‎02-08-2011 12:51 AM

Dear Herbert Baerten, thanks a lot for your answer.

First Problem: debugging ldap shows me that when the user authenticates on the ASA gets member.of attributes only for the domain of the user. If the user is member of a group of another domain he does not receive member.of attributes of the parent domain. I can't understand if this is a limitation or a bug....

Second Problem: I did not know that there is an open enhancement request, anyway this is a good news!

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents