[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

LDAP AUTHENTICATION IN CISCO ASA FOR CISCO CLIENT VPN

Posted on 2010-04-05
3
Medium Priority
?
1,634 Views
Last Modified: 2013-12-24
Hi,
Am trying to setup Ldap authentication for client vpn based on Dial in permission enabled in AD.

I have successfully configured the AD servers in AAA and able to do a test authorization and authentication to these servers from ASA.

Also have configured Ldap attribute mapping

However, am not able to fetch the msNPAllowDialin attribute through Ldap query.

For testing run the debug Ldap 255 in the console and tried testing authorization/authentication for an AD Account, I was able to see various parameters like memberOf: , proxyAddresses, displayName etc listed with their values but i don’t see msNPAllowDialin attribute.

Whether i need make any changes in ASA or in my Ldap server?


ASA Model - Cisco 5510, Version 8.0(4)33
LDAP         -  Windows 2003 Server
0
Comment
Question by:ganmax
  • 2
3 Comments
 

Author Comment

by:ganmax
ID: 29898056
please find the output of debug ldap 255, am not able to see the msNPAllowDialin attribute here. Can anyone help me to find what is the issue here..(Note- tested account gan28929 does have dial in access enabled in AD)


[5149] Session Start
[5149] New request Session, context 0x2c66edc, reqType = 0
[5149] Fiber started
[5149] Creating LDAP context with uri=ldap://10.203.111.110:3268
[5149] Binding as administrator
[5149] Performing Simple authentication for admin_test to 10.203.111.110
[5149] Connect to LDAP server: ldap://10.203.111.110:3268, status = Successful
[5149] LDAP Search:
        Base DN = [DC=AD,DC=ENNEMTECH,DC=com]
        Filter  = [sAMAccountName=gan28929]
        Scope   = [SUBTREE]
[5149] Retrieved Attributes:
[5149]  objectClass: value = top
[5149]  objectClass: value = person
[5149]  objectClass: value = organizationalPerson
[5149]  objectClass: value = user
[5149]  cn: value = Suresh Kumar
[5149]  sn: value = Kumar
[5149]  c: value = IN
[5149]  l: value = delhi
[5149]  title: value = Engineer
[5149]  description: value = AD Completed
[5149]  postalCode: value = 600032
[5149]  physicalDeliveryOfficeName: value = delhi
[5149]  telephoneNumber: value = 911111111111
[5149]  facsimileTelephoneNumber: value =
[5149]  userCertificate: value = 0...0..8........;.......@0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8........jPm......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8........f........0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*..........:......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......6..n......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......a.t.....~.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......\{.~....q.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......B..<....g.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*...............V.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..8.......M.......0.0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*....... <.w...."90...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......yq.,......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  userCertificate: value = 0...0..*.......yk~.......0...*.H........0U1.0.....&...,d....COM1.0.....&...,d...
[5149]  givenName: value = Suresh
[5149]  distinguishedName: value = CN=Suresh Kumar,OU=Users,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  instanceType: value = 4
[5149]  whenCreated: value = 20061107063717.0Z
[5149]  whenChanged: value = 20100405111754.0Z
[5149]  displayName: value = Suresh Kumar
[5149]  otherTelephone: value = 6205551
[5149]  uSNCreated: value = 72923
[5149]  memberOf: value = CN=CHE-DG-ADMIN-USERS,OU=IT,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  memberOf: value = CN=ALL_IT_ISMS_READ,OU=IT,OU=GUR,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  uSNChanged: value = 67210449
[5149]  co: value = India
[5149]  department: value = IT
[5149]  company: value = ENNEMTECH
[5149]  proxyAddresses: value = eum:6205551;phone-context=AsianEV.AD.ENNEMTECH.COM
[5149]  proxyAddresses: value = EUM:Suresh.Kumar@ENNEMTECH.com;phone-context=AsianEV.AD.ENNEMTECH.COM
[5149]  proxyAddresses: value = X500:/O=frogdesign/OU=FROGNT/cn=Recipients/cn=Suresh.Kumar
[5149]  proxyAddresses: value = X500:/o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients
[5149]  proxyAddresses: value = sip:Suresh.Kumar@ENNEMTECH.com
[5149]  proxyAddresses: value = smtp:gan28929@ENNEMTECH.com
[5149]  proxyAddresses: value = SMTP:Suresh.Kumar@ENNEMTECH.com
[5149]  proxyAddresses: value = X500:/o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients
[5149]  proxyAddresses: value = notes:UID=d8dd54ee-c6ed25f5-652571a9-4e11db
[5149]  proxyAddresses: value = NOTES:Suresh Kumar/CHE/HSS@HSS
[5149]  name: value = Suresh Kumar
[5149]  objectGUID: value = .._..}.C.u.2..<n
[5149]  userAccountControl: value = 544
[5149]  pwdLastSet: value = 129091277565688900
[5149]  primaryGroupID: value = 513
[5149]  objectSid: value = ..............X#W.......9...
[5149]  sAMAccountName: value = gan28929
[5149]  sAMAccountType: value = 805306368
[5149]  sIDHistory: value = ..................Pz#_ck]...
[5149]  showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[5149]  showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=ENNEMTECH,CN=Micro
[5149]  legacyExchangeDN: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c
[5149]  userPrincipalName: value = gan28929@ASIAN.AD.ENNEMTECH.COM
[5149]  ipPhone: value = 6205551
[5149]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  dSCorePropagationData: value = 20090122135746.0Z
[5149]  dSCorePropagationData: value = 20080723112854.0Z
[5149]  dSCorePropagationData: value = 20080611145838.0Z
[5149]  dSCorePropagationData: value = 20080216064559.0Z
[5149]  dSCorePropagationData: value = 16010714223649.0Z
[5149]  mail: value = Suresh.Kumar@ENNEMTECH.com
[5149]  manager: value = CN=Raj Kumar,OU=Users,OU=CHE,OU=IN,DC=ASIAN,DC=AD,DC=ENNEMTECH,DC=COM
[5149]  mobile: value = 911111111111
[5149]  msRTCSIP-UserPolicy: value = B:8:01000000:CN={5144797E-E015-4585-8A6E-251425BFD306},CN=Policies,CN=RTC Servic
[5149]  msExchUserAccountControl: value = 0
[5149]  msExchUMTemplateLink: value = CN=AsianEV,CN=UM Mailbox Policies,CN=ENNEMTECH,CN=Microsoft Exchange,CN=Services,C
[5149]  msRTCSIP-FederationEnabled: value = TRUE
[5149]  mDBUseDefaults: value = TRUE
[5149]  msRTCSIP-ArchivingEnabled: value = 0
[5149]  msExchUserCulture: value = en-US
[5149]  msRTCSIP-InternetAccessEnabled: value = TRUE
[5149]  msExchUMRecipientDialPlanLink: value = CN=AsianEV,CN=UM DialPlan Container,CN=ENNEMTECH,CN=Microsoft Exchange,CN=Services
[5149]  msExchMailboxGuid: value = ].{..2.@.Io?.S.s
[5149]  msExchVersion: value = 4535486012416
[5149]  msExchMailboxSecurityDescriptor: value = ........ .......,.......................................................
[5149]  msRTCSIP-OptionFlags: value = 449
[5149]  protocolSettings: value = OWA..1
[5149]  protocolSettings: value = HTTP..1..1............
[5149]  protocolSettings: value = POP3..0................
[5149]  msRTCSIP-PrimaryUserAddress: value = sip:Suresh.Kumar@ENNEMTECH.com
[5149]  msRTCSIP-Line: value = tel:6295551
[5149]  submissionContLength: value = 10240
[5149]  msExchUMDtmfMap: value = emailAddress:42637478272626426
[5149]  msExchUMDtmfMap: value = lastNameFirstName:78272626426426374
[5149]  msExchUMDtmfMap: value = firstNameLastName:42637478272626426
[5149]  msExchUMEnabledFlags: value = 831
[5149]  msRTCSIP-UserEnabled: value = TRUE
[5149]  msExchUMPinChecksum: value = ..RT.....cFK.n..p.u.............................................................
[5149]  msRTCSIP-PrimaryHomeServer: value = CN=LC Services,CN=Microsoft,CN=OCSR2POOL,CN=Pools,CN=RTC Service,CN=Services,CN=
[5149]  msExchOmaAdminWirelessEnable: value = 4
[5149]  msExchRecipientDisplayType: value = 1073741824
[5149]  delivContLength: value = 10240
[5149]  msExchHomeServerName: value = /o=ENNEMTECH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/c
[5149]  homeMDB: value = CN=GUREXMB02-SG2-BLR-CHE-USERS-DB2,CN=GUREXMB02-SG2-BLR-CHE-USERS,CN=Information
[5149]  msExchRecipientTypeDetails: value = 1
[5149]  mailNickname: value = Suresh.Kumar
[5149]  msExchMailboxTemplateLink: value = CN=MRM POLICY 90days,CN=ELC Mailbox Policies,CN=ENNEMTECH,CN=Microsoft Exchange,CN
[5149]  msExchPoliciesExcluded: value = {26491cfc-9e50-4857-861b-0cb8df22b5d7}
[5149] Fiber exit Tx=177 bytes Rx=31451 bytes, status=1
[5149] Session End
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 29999373

This is the problem:

> ldap://10.203.111.110:3268

msNPAllowDialin is not published into the Global Catalog, which is what you're talking to if you're using TCP Port 3268.

There are two ways to fix this:

1. Use LDAP (TCP Port 389)  - I assume there's a reason you're using the GC though?
2. Add nsNPAllowDialin to the GC - Find the attribute definition in the schema, set isMemberOfPartialAttributeSet to True (then wait a while for that change to replicate)

The impact of that change is minimal considering this is a boolean value.

Chris
0
 

Author Comment

by:ganmax
ID: 30516490
Hi Chris ,

i have adopted the solution 2 and have made necessary changes in Ldap server to publish the msNPAllowDialin attribute to GC servers.

i was not able to adopt the solution 1 of using port 389  since i need to authenticate and fetch details for user across different domains and which is not possible when i connect to port 389 .
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses

613 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question