Cisco ASA- Basic LDAP Authentication

We’re back at it again, this time with a short tutorial covering basic LDAP authentication using a Cisco ASA.

In this case, I’m running asa917-7-k8 on a 5505. The configuration will use a single tunnel group and a single group policy. You can later add different groups, policies, pools, options, etc., but let’s not get carried away. However, much of the reason to use LDAP authentication versus simple NTAuth (both against a domain controller or similar server) is the ability to apply different permissions to users depending on which groups they’re members of.

Overview

Here’s how a connection flow will play out.

  1. A connection comes into the tunnel group (defaultwebvpngroup) which tells it to use an aaa-server.
  2. The aaa-server says look at the ldap-attribute-map.
  3. The ldap-attribute-map says any users who are in a specific Active Directory (AD) group should be processed by the defined group policy.
  4. The group policy defines how many times the person can log in and other settings.
  5. If the user wasn’t in the AD group, send them to whatever the default-group-policy is in the tunnel group.

If that wasn’t immediately clear, it will make more sense once we walk through the configuration.

Troubleshooting

Few endeavors are completed without a hitch, so here are some tips to avoid breaking your company’s VPN for three hours while the VP is telling you to hurry up so the CEO can connect…. Don’t test on production gear if you can avoid it.

  • BACK UP YOUR CONFIG. Seriously. Just copy run <date>-running-cfg to save yourself a lot of trouble. Back it up to a text doc too, and don’t  write mem until you’re confident in your changes.
  • You can use debug ldap 255 to view incoming LDAP requests, and undebug ldap when you’re done.  This is very handy to verify that a user is in the proper group when authenticating, as shown later in this post.
  • Test your LDAP service account after adding the aaa-server.
  • Know the relevant show commands. Here are the essentials:
    • show run aaa
    • show run ldap attribute-map
    • show run tunnel-group
    • show run group-policy
    • show run webvpn

Step One – Create an Address Pool

Authenticated users will need an IP. Create a pool for them.

ip local pool VPNpool X.X.X.X-Y.Y.Y.Y mask Z.Z.Z.Z

Step Two – Create the AAA Server(s)

Your authentication, authorization, and accounting (AAA) server is the database containing users’ credentials and group membership. In many environments, this will be a Windows Active Directory server. If you’re rusty on domain object structure, it may be worth looking through Google first.

In the example below, we have two AAA servers in the LDAP_SRV_GROUP group. The ASA communicates with them via the inside interface. The key field we need to focus on is the ldap-login-dn – the account used to verify a connecting user’s credentials.

The account named here should be a service account specifically for this purpose. It should be set to read only permission for the LDAP database. Again, see Google for how to set that up properly.

aaa-server LDAP_SRV_GRP (inside) host 10.1.1.50
ldap-base-dn dc=example, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP SERVICE,OU=Service Accounts,DC=example,DC=com
server-type microsoft

aaa-server LDAP_SRV_GRP (inside) host 10.1.1.60
ldap-base-dn dc=example, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP SERVICE,OU=Service Accounts,DC=example,DC=com
server-type microsoft

Now test this account’s access to your LDAP server. If this is not successful, review your server event logs.

test aaa-server authentication LDAP_SRV_GRP host 10.1.1.50 username ldapadmin password ----

Step Three – Create the Group Policies

There are two policies minimally required.

  • “no access” – This is the policy assigned to connecting users who do not meet the group membership requirements. The maximum number of simultaneous logins is set to zero, meaning anyone assigned here is unable to connect.
  • The real one. You can call this by any name. There are many different settings that can be defined here. Most importantly, we need to set:
    • the DNS server assigned to clients,
    • their lookup domain suffix,
    • how many simultaneous connections they’re allowed,
    • the IP address pool from step one, and
    • the tunnel protocol

If you’re using AnyConnect, the vpn-tunnel-protocol should be ssl-client. Also, setting vpn-simultaneous logins to something greater than one may help avoid issues from sessions that do not terminate cleanly.

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0

group-policy VPNUsersPolicy internal
group-policy VPNUsersPolicy attributes
banner value You have been granted network access via vpn.example.com.
wins-server value 10.1.1.50 10.1.1.60
dns-server value 10.1.1.50 10.1.1.60
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain value example.com
address-pools value VPNpool

Step Four – Create the LDAP Attribute Map

Okay, this part is easy, but critical. The DN (distinguished name) that’s listed below is case sensitive! If at the end of this tutorial you run into issues after enabling LDAP authentication, issue the debug ldap 255 command and closely compare the DN that you defined with what shows up.

ldap attribute-map CiscoMap
map-name msNPALLowDialin IETF-Radius-Class
map-value msNPALLowDialin FALSE NOACCESS
map-value msNPALLowDialin TRUE ALLOWACCESS

ldap attribute-map GroupMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPNUsers,CN=Users,DC=example,DC=com VPNUsersPolicy

Note the “VPNUsers policy” after the DN. This is the policy that will be assigned to users matching this attribute map.

Step Five – Create the Tunnel Group

Since we are not allowing the user to choose a connection profile, all webvpn requests will use the default tunnel group. If the group below does not exist, create it.

In order to enable multiple profile selection, issue the commands “webvpn” then “tunnel-group-list enable”. To select which groups show up in this list, they must have the following bolded settings. The bold part is optional and is not used in this configuration.

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNpool
authentication-server-group LDAP_SRV_GRP
default-group-policy NOACCESS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup enable

Step Six – Apply the LDAP Attribute Map to the AAA-Server

Now for the final step. With these commands, the AAA servers will begin applying group policies based on the settings we defined in Step Four.

aaa-server LDAP_SRV_GRP (inside) host 10.1.1.50
ldap-attribute-map GroupMap
aaa-server LDAP_SRV_GRP (inside) host 10.1.1.60
ldap-attribute-map GroupMap

Summary

Good job, you’re now doing LDAP authentication! Unless you messed it up, of course… But if not, you have an authentication method that offers you the flexibility to assign settings based on user group membership.

As always, let me know if you have any questions and thanks for reading.

-Dan

 

 

Advertisements

One thought on “Cisco ASA- Basic LDAP Authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s