Cisco ASA 5510 VPN group authentication

Hi there,

I've been trying to figure this one out for a while now and it's starting to get a little frustrating.

We have a ASA 5510 which uses an Ubuntu (8.04) LDAP server to authenticate VPN users. This works fine, but we would like to control VPN access via group so that not all users automatically get VPN access.

I've spent many hours trying to figure out how to use ASA LDAP attribute maps, adding the memberOf objectclass to LDAP etc. etc.

I'm now thinking of changing tack entirely and setting up a Radius server to act as a translator between LDAP and the Cisco. I have no experience of Radius servers whatsoever. I've googled around a bit and freeradius seems to be very popular. I'd like to set it up as an Ubuntu VM.

Any input/advice would be most welcome. How are your systems setup? What works well?

One thing we can't change and that's the LDAP backend. It's far too embedded into the architecture of the company setup.

Cheers,
c:)
LVL 1
ChrisAlavoineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PugglewuggleCommented:
Hi Chris,

Can you please post your config and the addresses of the LDAP server? RADIUS is not really necessary here since you do have an LDAP server.

What we basically do is make sure the ASA can authenticate to the LDAP server (have you created an LDAP query account on the server and tested it, verifying it works on the ASA? this is crucial) and then setup groups on the ASA that users will "map" to based on certain attributes or the LDAP path - this is where the access is defined.

Please let me know.

Thanks!
Jared
0
ChrisAlavoineAuthor Commented:
HI Jared,

Authentication works fine between LDAP and Cisco. This is in production and has about 70 active users.

ASA version 8.2
ASDM version 6.2

I've already set AAA server group as follows:

aaa-server ess-ldap protocol ldap
aaa-server ess-ldap (inside) host 192.168.16.2
 timeout 20
 server-port 389
 ldap-base-dn dc=essence
 ldap-scope subtree
 ldap-naming-attribute userid
 ldap-login-password *****
 ldap-login-dn cn=admin,dc=essence
 server-type openldap

This talks nicely with our LDAP server.
Our problem is the group control.
All the documentation on the web has pointed me in the direction of creating an attribute mapping from the memberOf to IETF-Radius-Class. I've managed to get this working ok (or at least entered ok), but there is no memberOf objectclass on my LDAP server.

I've added the following to my slapd.conf:

moduleload memberof.la
overlay memberof

And have tried adding the following LDIF file:

dn: cn=vpn,ou=Groups,dc=essence
objectclass: groupOfNames
cn: vpn
member: uid=chris.alavoine,ou=Users,dc=essence

This is where the wheels come off. I keep getting this error:
memberOf.ldif: line 1: unknown directive  outside backend info and database definitions.
slapadd: bad configuration file!"

I've check the whitespaces in the LDIF file and everything seems to be in order.

Cheers,
c:)
0
ChrisAlavoineAuthor Commented:
Hiya,

Ok, I've made some progress today.

Have managed to get the LDIF file loaded and I now have a group called vpn which has a groupOfnames object class. This gives me a member attribute when I look at the group in phpLDAPadmin web interface. As far as I can divine, this is what I need at the LDAP end.

Unfortunately, the group policy is not being applied as I can still log in as any user.

Any clues?
c:)
0
ChrisAlavoineAuthor Commented:
Update.

I've managed to get this working.

I wasn't able to map the memberOf attribute as that would've meant re-writing my LDAP schema. In the end I mapped the "gecos" (comment) attribute to IETF-Radius-Class on the ASA. This allows me to create a new user with the following command:

smbldap-useradd -a -m -c "vpn" user.name

where I replace "vpn" with either "vpn", "novpn" or "vpnadmin".

Each of these values is then given a particular Group Policy on the ASA relevant to their access level.

Chris.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.