LDAP Authorization and Authentication For Cisco IPSEC against Windows 2008 Server

ciosystems
ciosystems used Ask the Experts™
on
I am following this article from Cisco to set up LDAP authorization and Authentication for VPN clients in Active Directory.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml#prereq

This article points me to another article from Microsoft that explains how to allow grant access to query the LDAP in Windows 2000 Server.

Pardon me but I do not think this applies to Windows 2008 and or I do not understand what it is asking me to do...

In any event this is what I want to do.

I created and account called fwauthor in AD
I want to put this username and password on the ASA in the LDAP setup.
I want to Authenticate users with the common name and password.
I want to use the DIALIN field in Active directory to Authorize the user.

The cisco code below works if I use the Administrator account and not the fwauthor account:

ldap attribute-map AD_3
  map-name  msNPAllowDialin Tunneling-Protocols
  map-value msNPAllowDialin FALSE 1
  map-value msNPAllowDialin TRUE 20
dynamic-access-policy-record DfltAccessPolicy
aaa-server my_author_gp protocol ldap
aaa-server my_author_gp (inside) host HQDC1
 ldap-base-dn dc=corp, dc=ciosystems, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn cn=administratorr,cn=users,dc=corp,dc=ciosystems,dc=com
 server-type microsoft
 ldap-attribute-map AD_3
 
 
When I use fwauthor I get the following Debug error:
irvine-fw1# debug ldap 255
debug ldap  enabled at level 255
irvine-fw1# term mon
irvine-fw1#
[44] Session Start
[44] New request Session, context 0xd8365dd8, reqType = Other
[44] Fiber started
[44] Creating LDAP context with uri=ldap://10.200.1.220:389
[44] Connect to LDAP server: ldap://10.200.1.220:389, status = Successful
[44] supportedLDAPVersion: value = 3
[44] supportedLDAPVersion: value = 2
[44] Binding as fwauthor
[44] Performing Simple authentication for fwauthor to 10.200.1.220
[44] Simple authentication for fwauthor returned code (49) Invalid credentials
[44] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[44] Fiber exit Tx=218 bytes Rx=577 bytes, status=-2
[44] Session End
 
When I use the Administrator Account I get:
[45] Session Start
[45] New request Session, context 0xd8365dd8, reqType = Other
[45] Fiber started
[45] Creating LDAP context with uri=ldap://10.200.1.220:389
[45] Connect to LDAP server: ldap://10.200.1.220:389, status = Successful
[45] supportedLDAPVersion: value = 3
[45] supportedLDAPVersion: value = 2
[45] Binding as administrator
[45] Performing Simple authentication for administrator to 10.200.1.220
[45] LDAP Search:
        Base DN = [dc=corp, dc=ciosystems, dc=com]
        Filter  = [sAMAccountName=jgallagh]
        Scope   = [SUBTREE]
[45] User DN = [CN=John Gallagher,CN=Users,DC=corp,DC=ciosystems,DC=com]
[45] LDAP Search:
        Base DN = [dc=corp, dc=ciosystems, dc=com]
        Filter  = [sAMAccountName=jgallagh]
        Scope   = [SUBTREE]
[45] Retrieved User Attributes:
[45]    objectClass: value = top
[45]    objectClass: value = person
[45]    objectClass: value = organizationalPerson
[45]    objectClass: value = user
[45]    cn: value = John Gallagher
[45]    sn: value = Gallagher
[45]    givenName: value = John
[45]    distinguishedName: value = CN=John Gallagher,CN=Users,DC=corp,DC=ciosystems,DC=com
[45]    instanceType: value = 4
[45]    whenCreated: value = 20071213183322.0Z
[45]    whenChanged: value = 20090715002929.0Z
[45]    displayName: value = John Gallagher
[45]    uSNCreated: value = 65551
[45]    memberOf: value = CN=Testers,CN=Users,DC=corp,DC=ciosystems,DC=com
[45]    memberOf: value = CN=Cisco_Swith_Auth,CN=Users,DC=corp,DC=ciosystems,DC=com
[45]    memberOf: value = CN=Domain Admins,CN=Users,DC=corp,DC=ciosystems,DC=com
[45]    memberOf: value = CN=Schema Admins,CN=Users,DC=corp,DC=ciosystems,DC=com
[45]    uSNChanged: value = 143425
[45]    name: value = John Gallagher
[45]    objectGUID: value = ......aC..E&..S}
[45]    userAccountControl: value = 66048
[45]    badPwdCount: value = 2
[45]    codePage: value = 0
[45]    countryCode: value = 0
[45]    badPasswordTime: value = 128824748600781250
[45]    lastLogoff: value = 0
[45]    lastLogon: value = 0
[45]    pwdLastSet: value = 128420444029687500
[45]    primaryGroupID: value = 513
[45]    userParameters: value = m:                    d.
[45]    objectSid: value = .................;....U.X...
[45]    adminCount: value = 1
[45]    accountExpires: value = 9223372036854775807
[45]    logonCount: value = 0
[45]    sAMAccountName: value = jgallagh
[45]    sAMAccountType: value = 805306368
[45]    userPrincipalName: value = jgallagh@corp.ciosystems.com
[45]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=ciosystems,DC=com
[45]    msNPAllowDialin: value = TRUE
[45]            mapped to Tunneling-Protocols: value = 20
[45] Fiber exit Tx=387 bytes Rx=4454 bytes, status=1
[45] Session End

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hello Sir!

I think that the document that you are using is this one:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Since you are mapping (filtering)  the query to the value msNPAllowDialin...
If this parameter is TRUE the group-policy name that you will use is "20".

Please make sure that you have the correct group policy and the correct parameter with the internal parameters of cisco. Why you are using tunneling-protocols with msNPAllowDialin?

Example it should be:
map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class

or

map-name  msNPAllowDialin IETF-Radius-Class

You can check the list from the ASDM.
Please verify the document again.

Author

Commented:
I do not believe the Cisco ASA is incorrectly configured.  I am getting the proper information back when I use the administrator account.  What I am not getting back is anything when I use any other account in the Activedirectory.  Even if I assign allog the groups assigned to the built in Administrator.

Commented:
OK Cool!

Remember the ldap-login-dn needs to be a domain admin or a user that can read all the objects in the domain.  Also change the password for that user ldap-login-password xxxxx

Go to your server and type:
dsquery user -samid fwauthor

In order to get the right base-dn

Author

Commented:
Great solution!  Thanks!  We did not have the Base DN's correct.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial