ganmax
asked on
LDAP AUTHENTICATION IN CISCO ASA FOR CISCO CLIENT VPN
Hi,
Am trying to setup Ldap authentication for client vpn based on Dial in permission enabled in AD.
I have successfully configured the AD servers in AAA and able to do a test authorization and authentication to these servers from ASA.
Also have configured Ldap attribute mapping
However, am not able to fetch the msNPAllowDialin attribute through Ldap query.
For testing run the debug Ldap 255 in the console and tried testing authorization/authenticati on for an AD Account, I was able to see various parameters like memberOf: , proxyAddresses, displayName etc listed with their values but i don’t see msNPAllowDialin attribute.
Whether i need make any changes in ASA or in my Ldap server?
ASA Model - Cisco 5510, Version 8.0(4)33
LDAP - Windows 2003 Server
Am trying to setup Ldap authentication for client vpn based on Dial in permission enabled in AD.
I have successfully configured the AD servers in AAA and able to do a test authorization and authentication to these servers from ASA.
Also have configured Ldap attribute mapping
However, am not able to fetch the msNPAllowDialin attribute through Ldap query.
For testing run the debug Ldap 255 in the console and tried testing authorization/authenticati
Whether i need make any changes in ASA or in my Ldap server?
ASA Model - Cisco 5510, Version 8.0(4)33
LDAP - Windows 2003 Server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chris ,
i have adopted the solution 2 and have made necessary changes in Ldap server to publish the msNPAllowDialin attribute to GC servers.
i was not able to adopt the solution 1 of using port 389 since i need to authenticate and fetch details for user across different domains and which is not possible when i connect to port 389 .
i have adopted the solution 2 and have made necessary changes in Ldap server to publish the msNPAllowDialin attribute to GC servers.
i was not able to adopt the solution 1 of using port 389 since i need to authenticate and fetch details for user across different domains and which is not possible when i connect to port 389 .
ASKER
[5149] Session Start
[5149] New request Session, context 0x2c66edc, reqType = 0
[5149] Fiber started
[5149] Creating LDAP context with uri=ldap://10.203.111.110:
[5149] Binding as administrator
[5149] Performing Simple authentication for admin_test to 10.203.111.110
[5149] Connect to LDAP server: ldap://10.203.111.110:3268
[5149] LDAP Search:
Base DN = [DC=AD,DC=ENNEMTECH,DC=com
Filter = [sAMAccountName=gan28929]
Scope = [SUBTREE]
[5149] Retrieved Attributes:
[5149] objectClass: value = top
[5149] objectClass: value = person
[5149] objectClass: value = organizationalPerson
[5149] objectClass: value = user
[5149] cn: value = Suresh Kumar
[5149] sn: value = Kumar
[5149] c: value = IN
[5149] l: value = delhi
[5149] title: value = Engineer
[5149] description: value = AD Completed
[5149] postalCode: value = 600032
[5149] physicalDeliveryOfficeName
[5149] telephoneNumber: value = 911111111111
[5149] facsimileTelephoneNumber: value =
[5149] userCertificate: value = 0...0..8........;.......@0
[5149] userCertificate: value = 0...0..8........jPm......0
[5149] userCertificate: value = 0...0..8........f........0
[5149] userCertificate: value = 0...0..*..........:......0
[5149] userCertificate: value = 0...0..*.......6..n......0
[5149] userCertificate: value = 0...0..*.......a.t.....~.0
[5149] userCertificate: value = 0...0..*.......\{.~....q.0
[5149] userCertificate: value = 0...0..*.......B..<....g.0
[5149] userCertificate: value = 0...0..*...............V.0
[5149] userCertificate: value = 0...0..8.......M.......0.0
[5149] userCertificate: value = 0...0..*....... <.w...."90...*.H........0U
[5149] userCertificate: value = 0...0..*.......yq.,......0
[5149] userCertificate: value = 0...0..*.......yk~.......0
[5149] givenName: value = Suresh
[5149] distinguishedName: value = CN=Suresh Kumar,OU=Users,OU=CHE,OU=I
[5149] instanceType: value = 4
[5149] whenCreated: value = 20061107063717.0Z
[5149] whenChanged: value = 20100405111754.0Z
[5149] displayName: value = Suresh Kumar
[5149] otherTelephone: value = 6205551
[5149] uSNCreated: value = 72923
[5149] memberOf: value = CN=CHE-DG-ADMIN-USERS,OU=I
[5149] memberOf: value = CN=ALL_IT_ISMS_READ,OU=IT,
[5149] uSNChanged: value = 67210449
[5149] co: value = India
[5149] department: value = IT
[5149] company: value = ENNEMTECH
[5149] proxyAddresses: value = eum:6205551;phone-context=
[5149] proxyAddresses: value = EUM:Suresh.Kumar@ENNEMTECH
[5149] proxyAddresses: value = X500:/O=frogdesign/OU=FROG
[5149] proxyAddresses: value = X500:/o=ENNEMTECH/ou=Excha
[5149] proxyAddresses: value = sip:Suresh.Kumar@ENNEMTECH
[5149] proxyAddresses: value = smtp:gan28929@ENNEMTECH.co
[5149] proxyAddresses: value = SMTP:Suresh.Kumar@ENNEMTEC
[5149] proxyAddresses: value = X500:/o=ENNEMTECH/ou=Excha
[5149] proxyAddresses: value = notes:UID=d8dd54ee-c6ed25f
[5149] proxyAddresses: value = NOTES:Suresh Kumar/CHE/HSS@HSS
[5149] name: value = Suresh Kumar
[5149] objectGUID: value = .._..}.C.u.2..<n
[5149] userAccountControl: value = 544
[5149] pwdLastSet: value = 129091277565688900
[5149] primaryGroupID: value = 513
[5149] objectSid: value = ..............X#W.......9.
[5149] sAMAccountName: value = gan28929
[5149] sAMAccountType: value = 805306368
[5149] sIDHistory: value = ..................Pz#_ck].
[5149] showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[5149] showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=ENNEMTECH,CN=
[5149] legacyExchangeDN: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
[5149] userPrincipalName: value = gan28929@ASIAN.AD.ENNEMTEC
[5149] ipPhone: value = 6205551
[5149] objectCategory: value = CN=Person,CN=Schema,CN=Con
[5149] dSCorePropagationData: value = 20090122135746.0Z
[5149] dSCorePropagationData: value = 20080723112854.0Z
[5149] dSCorePropagationData: value = 20080611145838.0Z
[5149] dSCorePropagationData: value = 20080216064559.0Z
[5149] dSCorePropagationData: value = 16010714223649.0Z
[5149] mail: value = Suresh.Kumar@ENNEMTECH.com
[5149] manager: value = CN=Raj Kumar,OU=Users,OU=CHE,OU=I
[5149] mobile: value = 911111111111
[5149] msRTCSIP-UserPolicy: value = B:8:01000000:CN={5144797E-
[5149] msExchUserAccountControl: value = 0
[5149] msExchUMTemplateLink: value = CN=AsianEV,CN=UM Mailbox Policies,CN=ENNEMTECH,CN=M
[5149] msRTCSIP-FederationEnabled
[5149] mDBUseDefaults: value = TRUE
[5149] msRTCSIP-ArchivingEnabled:
[5149] msExchUserCulture: value = en-US
[5149] msRTCSIP-InternetAccessEna
[5149] msExchUMRecipientDialPlanL
[5149] msExchMailboxGuid: value = ].{..2.@.Io?.S.s
[5149] msExchVersion: value = 4535486012416
[5149] msExchMailboxSecurityDescr
[5149] msRTCSIP-OptionFlags: value = 449
[5149] protocolSettings: value = OWA..1
[5149] protocolSettings: value = HTTP..1..1............
[5149] protocolSettings: value = POP3..0................
[5149] msRTCSIP-PrimaryUserAddres
[5149] msRTCSIP-Line: value = tel:6295551
[5149] submissionContLength: value = 10240
[5149] msExchUMDtmfMap: value = emailAddress:4263747827262
[5149] msExchUMDtmfMap: value = lastNameFirstName:78272626
[5149] msExchUMDtmfMap: value = firstNameLastName:42637478
[5149] msExchUMEnabledFlags: value = 831
[5149] msRTCSIP-UserEnabled: value = TRUE
[5149] msExchUMPinChecksum: value = ..RT.....cFK.n..p.u.......
[5149] msRTCSIP-PrimaryHomeServer
[5149] msExchOmaAdminWirelessEnab
[5149] msExchRecipientDisplayType
[5149] delivContLength: value = 10240
[5149] msExchHomeServerName: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
[5149] homeMDB: value = CN=GUREXMB02-SG2-BLR-CHE-U
[5149] msExchRecipientTypeDetails
[5149] mailNickname: value = Suresh.Kumar
[5149] msExchMailboxTemplateLink:
[5149] msExchPoliciesExcluded: value = {26491cfc-9e50-4857-861b-0
[5149] Fiber exit Tx=177 bytes Rx=31451 bytes, status=1
[5149] Session End