LDAP AUTHENTICATION IN CISCO ASA FOR CISCO CLIENT VPN

Hi,
Am trying to setup Ldap authentication for client vpn based on Dial in permission enabled in AD.

I have successfully configured the AD servers in AAA and able to do a test authorization and authentication to these servers from ASA.

Also have configured Ldap attribute mapping

However, am not able to fetch the msNPAllowDialin attribute through Ldap query.

For testing run the debug Ldap 255 in the console and tried testing authorization/authentication for an AD Account, I was able to see various parameters like memberOf: , proxyAddresses, displayName etc listed with their values but i don’t see msNPAllowDialin attribute.

Whether i need make any changes in ASA or in my Ldap server?


ASA Model - Cisco 5510, Version 8.0(4)33
LDAP         -  Windows 2003 Server
ganmaxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ganmaxAuthor Commented:
please find the output of debug ldap 255, am not able to see the msNPAllowDialin attribute here. Can anyone help me to find what is the issue here..(Note- tested account gan28929 does have dial in access enabled in AD)


[5149] Session Start
[5149] New request Session, context 0x2c66edc, reqType = 0
[5149] Fiber started
[5149] Creating LDAP context with uri=ldap://10.203.111.110:3268
[5149] Binding as administrator
[5149] Performing Simple authentication for admin_test to 10.203.111.110
[5149] Connect to LDAP server: ldap://10.203.111.110:3268, status = Successful
[5149] LDAP Search:
        Base DN = [DC=AD,DC=ENNEMTECH,DC=com]
        Filter  = [sAMAccountName=gan28929]
        Scope   = [SUBTREE]
[5149] Retrieved Attributes:
[5149]  objectClass: value = top
[5149]  objectClass: value = person
[5149]  objectClass: value = organizationalPerson
[5149]  objectClass: value = user
[5149]  cn: value = Suresh Kumar
[5149]  sn: value = Kumar
[5149]  c: value = IN
[5149]  l: value = delhi
[5149]  title: value = Engineer
[5149]  description: value = AD Completed
[5149]  postalCode: value = 600032
[5149]  physicalDeliveryOfficeName: value = delhi
[5149]  telephoneNumber: value = 911111111111
[5149]  facsimileTelephoneNumber: value =
[5149]  userCertificate: value = 0...0..8........;.......@0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8........jPm......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8........f........0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*..........:......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......6..n......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......a.t.....~.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......\{.~....q.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......B..<....g.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*...............V.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8.......M.......0.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*....... <.w...."90...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......yq.,......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......yk~.......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  givenName: value = Suresh
[5149]  distinguishedName: value = CN=Suresh Kumar,OU=Users,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  instanceType: value = 4
[5149]  whenCreated: value = 20061107063717.0Z
[5149]  whenChanged: value = 20100405111754.0Z
[5149]  displayName: value = Suresh Kumar
[5149]  otherTelephone: value = 6205551
[5149]  uSNCreated: value = 72923
[5149]  memberOf: value = CN=CHE-DG-ADMIN-USERS,OU=IT,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  memberOf: value = CN=ALL_IT_ISMS_READ,OU=IT,OU=GUR,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  uSNChanged: value = 67210449
[5149]  co: value = India
[5149]  department: value = IT
[5149]  company: value = ENNEMTECH
[5149]  proxyAddresses: value = eum:6205551;phone-context=AsianEV.AD.ENNEMTECH.COM
[5149]  proxyAddresses: value = EUM:Suresh.Kumar@ENNEMTECH.com;phone-context=AsianEV.AD.ENNEMTECH.COM
[5149]  proxyAddresses: value = X500:/O=frogdesign/OU=FROGNT/cn=Recipients/cn=Suresh.Kumar
[5149]  proxyAddresses: value = X500:/o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients
[5149]  proxyAddresses: value = sip:Suresh.Kumar@ENNEMTECH.com
[5149]  proxyAddresses: value = smtp:gan28929@ENNEMTECH.com
[5149]  proxyAddresses: value = SMTP:Suresh.Kumar@ENNEMTECH.com
[5149]  proxyAddresses: value = X500:/o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients
[5149]  proxyAddresses: value = notes:UID=d8dd54ee-c6ed25f5-652571a9-4e11db
[5149]  proxyAddresses: value = NOTES:Suresh Kumar/CHE/HSS@HSS
[5149]  name: value = Suresh Kumar
[5149]  objectGUID: value = .._..}.C.u.2..<n
[5149]  userAccountControl: value = 544
[5149]  pwdLastSet: value = 129091277565688900
[5149]  primaryGroupID: value = 513
[5149]  objectSid: value = ..............X#W.......9...
[5149]  sAMAccountName: value = gan28929
[5149]  sAMAccountType: value = 805306368
[5149]  sIDHistory: value = ..................Pz#_ck]...
[5149]  showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[5149]  showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=ENNEMTECH,CN=Micro
[5149]  legacyExchangeDN: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c
[5149]  userPrincipalName: value = gan28929@ASIAN.AD.ENNEMTECH.COM
[5149]  ipPhone: value = 6205551
[5149]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  dSCorePropagationData: value = 20090122135746.0Z
[5149]  dSCorePropagationData: value = 20080723112854.0Z
[5149]  dSCorePropagationData: value = 20080611145838.0Z
[5149]  dSCorePropagationData: value = 20080216064559.0Z
[5149]  dSCorePropagationData: value = 16010714223649.0Z
[5149]  mail: value = Suresh.Kumar@ENNEMTECH.com
[5149]  manager: value = CN=Raj Kumar,OU=Users,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  mobile: value = 911111111111
[5149]  msRTCSIP-UserPolicy: value = B:8:01000000:CN={5144797E-E015-4585-8A6E-251425BFD306},CN=Policies,CN=RTC Servic
[5149]  msExchUserAccountControl: value = 0
[5149]  msExchUMTemplateLink: value = CN=AsianEV,CN=UM Mailbox Policies,CN=ENNEMTECH,CN=Microsoft Exchange,CN=Services,C
[5149]  msRTCSIP-FederationEnabled: value = TRUE
[5149]  mDBUseDefaults: value = TRUE
[5149]  msRTCSIP-ArchivingEnabled: value = 0
[5149]  msExchUserCulture: value = en-US
[5149]  msRTCSIP-InternetAccessEnabled: value = TRUE
[5149]  msExchUMRecipientDialPlanLink: value = CN=AsianEV,CN=UM DialPlan Container,CN=ENNEMTECH,CN=Microsoft Exchange,CN=Services
[5149]  msExchMailboxGuid: value = ].{..2.@.Io?.S.s
[5149]  msExchVersion: value = 4535486012416
[5149]  msExchMailboxSecurityDescriptor: value = ........ .......,.......................................................
[5149]  msRTCSIP-OptionFlags: value = 449
[5149]  protocolSettings: value = OWA..1
[5149]  protocolSettings: value = HTTP..1..1............
[5149]  protocolSettings: value = POP3..0................
[5149]  msRTCSIP-PrimaryUserAddress: value = sip:Suresh.Kumar@ENNEMTECH.com
[5149]  msRTCSIP-Line: value = tel:6295551
[5149]  submissionContLength: value = 10240
[5149]  msExchUMDtmfMap: value = emailAddress:42637478272626426
[5149]  msExchUMDtmfMap: value = lastNameFirstName:78272626426426374
[5149]  msExchUMDtmfMap: value = firstNameLastName:42637478272626426
[5149]  msExchUMEnabledFlags: value = 831
[5149]  msRTCSIP-UserEnabled: value = TRUE
[5149]  msExchUMPinChecksum: value = ..RT.....cFK.n..p.u.............................................................
[5149]  msRTCSIP-PrimaryHomeServer: value = CN=LC Services,CN=Microsoft,CN=OCSR2POOL,CN=Pools,CN=RTC Service,CN=Services,CN=
[5149]  msExchOmaAdminWirelessEnable: value = 4
[5149]  msExchRecipientDisplayType: value = 1073741824
[5149]  delivContLength: value = 10240
[5149]  msExchHomeServerName: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/c
[5149]  homeMDB: value = CN=GUREXMB02-SG2-BLR-CHE-USERS-DB2,CN=GUREXMB02-SG2-BLR-CHE-USERS,CN=Information
[5149]  msExchRecipientTypeDetails: value = 1
[5149]  mailNickname: value = Suresh.Kumar
[5149]  msExchMailboxTemplateLink: value = CN=MRM POLICY 90days,CN=ELC Mailbox Policies,CN=ENNEMTECH,CN=Microsoft Exchange,CN
[5149]  msExchPoliciesExcluded: value = {26491cfc-9e50-4857-861b-0cb8df22b5d7}
[5149] Fiber exit Tx=177 bytes Rx=31451 bytes, status=1
[5149] Session End
0
Chris DentPowerShell DeveloperCommented:

This is the problem:

> ldap://10.203.111.110:3268

msNPAllowDialin is not published into the Global Catalog, which is what you're talking to if you're using TCP Port 3268.

There are two ways to fix this:

1. Use LDAP (TCP Port 389)  - I assume there's a reason you're using the GC though?
2. Add nsNPAllowDialin to the GC - Find the attribute definition in the schema, set isMemberOfPartialAttributeSet to True (then wait a while for that change to replicate)

The impact of that change is minimal considering this is a boolean value.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ganmaxAuthor Commented:
Hi Chris ,

i have adopted the solution 2 and have made necessary changes in Ldap server to publish the msNPAllowDialin attribute to GC servers.

i was not able to adopt the solution 1 of using port 389  since i need to authenticate and fetch details for user across different domains and which is not possible when i connect to port 389 .
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.