ChrisAlavoine
asked on
Cisco ASA 5510 VPN group authentication
Hi there,
I've been trying to figure this one out for a while now and it's starting to get a little frustrating.
We have a ASA 5510 which uses an Ubuntu (8.04) LDAP server to authenticate VPN users. This works fine, but we would like to control VPN access via group so that not all users automatically get VPN access.
I've spent many hours trying to figure out how to use ASA LDAP attribute maps, adding the memberOf objectclass to LDAP etc. etc.
I'm now thinking of changing tack entirely and setting up a Radius server to act as a translator between LDAP and the Cisco. I have no experience of Radius servers whatsoever. I've googled around a bit and freeradius seems to be very popular. I'd like to set it up as an Ubuntu VM.
Any input/advice would be most welcome. How are your systems setup? What works well?
One thing we can't change and that's the LDAP backend. It's far too embedded into the architecture of the company setup.
Cheers,
c:)
I've been trying to figure this one out for a while now and it's starting to get a little frustrating.
We have a ASA 5510 which uses an Ubuntu (8.04) LDAP server to authenticate VPN users. This works fine, but we would like to control VPN access via group so that not all users automatically get VPN access.
I've spent many hours trying to figure out how to use ASA LDAP attribute maps, adding the memberOf objectclass to LDAP etc. etc.
I'm now thinking of changing tack entirely and setting up a Radius server to act as a translator between LDAP and the Cisco. I have no experience of Radius servers whatsoever. I've googled around a bit and freeradius seems to be very popular. I'd like to set it up as an Ubuntu VM.
Any input/advice would be most welcome. How are your systems setup? What works well?
One thing we can't change and that's the LDAP backend. It's far too embedded into the architecture of the company setup.
Cheers,
c:)
ASKER
HI Jared,
Authentication works fine between LDAP and Cisco. This is in production and has about 70 active users.
ASA version 8.2
ASDM version 6.2
I've already set AAA server group as follows:
aaa-server ess-ldap protocol ldap
aaa-server ess-ldap (inside) host 192.168.16.2
timeout 20
server-port 389
ldap-base-dn dc=essence
ldap-scope subtree
ldap-naming-attribute userid
ldap-login-password *****
ldap-login-dn cn=admin,dc=essence
server-type openldap
This talks nicely with our LDAP server.
Our problem is the group control.
All the documentation on the web has pointed me in the direction of creating an attribute mapping from the memberOf to IETF-Radius-Class. I've managed to get this working ok (or at least entered ok), but there is no memberOf objectclass on my LDAP server.
I've added the following to my slapd.conf:
moduleload memberof.la
overlay memberof
And have tried adding the following LDIF file:
dn: cn=vpn,ou=Groups,dc=essenc
objectclass: groupOfNames
cn: vpn
member: uid=chris.alavoine,ou=User
This is where the wheels come off. I keep getting this error:
memberOf.ldif: line 1: unknown directive outside backend info and database definitions.
slapadd: bad configuration file!"
I've check the whitespaces in the LDIF file and everything seems to be in order.
Cheers,
c:)
Authentication works fine between LDAP and Cisco. This is in production and has about 70 active users.
ASA version 8.2
ASDM version 6.2
I've already set AAA server group as follows:
aaa-server ess-ldap protocol ldap
aaa-server ess-ldap (inside) host 192.168.16.2
timeout 20
server-port 389
ldap-base-dn dc=essence
ldap-scope subtree
ldap-naming-attribute userid
ldap-login-password *****
ldap-login-dn cn=admin,dc=essence
server-type openldap
This talks nicely with our LDAP server.
Our problem is the group control.
All the documentation on the web has pointed me in the direction of creating an attribute mapping from the memberOf to IETF-Radius-Class. I've managed to get this working ok (or at least entered ok), but there is no memberOf objectclass on my LDAP server.
I've added the following to my slapd.conf:
moduleload memberof.la
overlay memberof
And have tried adding the following LDIF file:
dn: cn=vpn,ou=Groups,dc=essenc
objectclass: groupOfNames
cn: vpn
member: uid=chris.alavoine,ou=User
This is where the wheels come off. I keep getting this error:
memberOf.ldif: line 1: unknown directive outside backend info and database definitions.
slapadd: bad configuration file!"
I've check the whitespaces in the LDIF file and everything seems to be in order.
Cheers,
c:)
ASKER
Hiya,
Ok, I've made some progress today.
Have managed to get the LDIF file loaded and I now have a group called vpn which has a groupOfnames object class. This gives me a member attribute when I look at the group in phpLDAPadmin web interface. As far as I can divine, this is what I need at the LDAP end.
Unfortunately, the group policy is not being applied as I can still log in as any user.
Any clues?
c:)
Ok, I've made some progress today.
Have managed to get the LDIF file loaded and I now have a group called vpn which has a groupOfnames object class. This gives me a member attribute when I look at the group in phpLDAPadmin web interface. As far as I can divine, this is what I need at the LDAP end.
Unfortunately, the group policy is not being applied as I can still log in as any user.
Any clues?
c:)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you please post your config and the addresses of the LDAP server? RADIUS is not really necessary here since you do have an LDAP server.
What we basically do is make sure the ASA can authenticate to the LDAP server (have you created an LDAP query account on the server and tested it, verifying it works on the ASA? this is crucial) and then setup groups on the ASA that users will "map" to based on certain attributes or the LDAP path - this is where the access is defined.
Please let me know.
Thanks!
Jared