Kenoboy
asked on
ASA 5510 LDAP group authentication
I have setup anyconnect to authenticate to AD using LDAP. This works so well that it authenticates all users in the domain. I am looking to only authenticate users that are members of the VPN group (ASA Users). I have setup LDAP attribute-map but still is not filtering users that are members of the group specified. I have read online to change the group-policy DfltGrpPolicy attributes vpn-simultaneous-logins to 0. When I do this, no one is authenticated. Below I have pasted the config that is relavent to the vpn and LDAP server. I have also include debugs for one account that is a member of the ASA Users, and a debug of a user that is not a member of ASA Users. Any help would be appreciated as I have been researching this for the last day and a half. Thanks in advance
ldap attribute-map ASA_MAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=ASA Users,OU=VPN,OU=Plants,DC= company,DC =com" COMPANY_VPN
aaa-server LDAP_Company_VPN protocol ldap
aaa-server LDAP_Company_VPN (INSIDE) host 10.1.2.10
server-port 389
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Comput ers,DC=com pany,DC=co m
server-type microsoft
ldap-attribute-map ASA_MAP
group-policy COMPANY_VPN internal
group-policy COMPANY_VPN attributes
dns-server value 10.1.2.10 10.1.2.24
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value company.com
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group COMPANY_VPN type remote-access
tunnel-group COMPANY_VPN general-attributes
address-pool COMPANY_VPN_POOL
authentication-server-grou p LDAP_Company_VPN
default-group-policy COMPANY_VPN
tunnel-group COMPANY_VPN webvpn-attributes
group-alias COMPANY_VPN_users enable
-------
Debug on account that should have access
[195] Session Start
[195] New request Session, context 0xce5d9018, reqType = Authentication
[195] Fiber started
[195] Creating LDAP context with uri=ldap://10.1.2.10:389
[195] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[195] supportedLDAPVersion: value = 3
[195] supportedLDAPVersion: value = 2
[195] Binding as Administrator
[195] Performing Simple authentication for Administrator to 10.1.2.10
[195] LDAP Search:
Base DN = [dc=company,dc=com]
Filter = [sAMAccountName=kenobeadle ]
Scope = [SUBTREE]
[195] User DN = [CN=Keno Beadle,CN=Users,DC=company ,DC=com]
[195] Talking to Active Directory server 10.1.2.10
[195] Reading password policy for kenobeadle, dn:CN=Keno Beadle,CN=Users,DC=company ,DC=com
[195] Read bad password count 0
[195] Binding as kenobeadle
[195] Performing Simple authentication for kenobeadle to 10.1.2.10
[195] Processing LDAP response for user kenobeadle
[195] Message (kenobeadle):
[195] Authentication successful for kenobeadle to 10.1.2.10
[195] Retrieved User Attributes:
[195] objectClass: value = top
[195] objectClass: value = person
[195] objectClass: value = organizationalPerson
[195] objectClass: value = user
[195] cn: value = Keno Beadle
[195] sn: value = Beadle
[195] givenName: value = Keno
[195] distinguishedName: value = CN=Keno Beadle,CN=Users,DC=company ,DC=com
[195] instanceType: value = 4
[195] whenCreated: value = 20100628133516.0Z
[195] whenChanged: value = 20100824162032.0Z
[195] displayName: value = Keno Beadle
[195] uSNCreated: value = 661752386
[195] memberOf: value = CN=ASA Users,OU=VPN,OU=Plants,DC= company,DC =com
[195] mapped to IETF-Radius-Class: value = COMPANY_VPN
[195] mapped to LDAP-Class: value = COMPANY_VPN
[195] uSNChanged: value = 664085514
[195] homeMTA: value = CN=Microsoft MTA,CN=TN1DX02,CN=Servers, CN=Jackson TN1,CN=Adm inistrativ e Groups,CN
[195] proxyAddresses: value = smtp:KBeadle2@CompanyPl.co m
[195] proxyAddresses: value = smtp:KBeadle2@CompanyPlast icsGroup.c om
[195] proxyAddresses: value = smtp:KBeadle2@Companypgi.c om
[195] proxyAddresses: value = smtp:Keno.Beadle@Companypl asticsgrou p.com
[195] proxyAddresses: value = X400:c=US;a= ;p=CompanyPl;o=Atlanta01;s =Beadle;g= Keno;
[195] proxyAddresses: value = SMTP:Keno.Beadle@Companypg i.com
[195] homeMDB: value = CN=Mailbox Store (TN1DX02),CN=First Storage Group,CN=InformationStore, CN=TN1DX02
[195] mDBUseDefaults: value = TRUE
[195] mailNickname: value = kenobeadle
[195] name: value = Keno Beadle
[195] objectGUID: value = /.F@..^F...v..H.
[195] userAccountControl: value = 66048
[195] badPwdCount: value = 0
[195] codePage: value = 0
[195] countryCode: value = 0
[195] badPasswordTime: value = 0
[195] lastLogoff: value = 0
[195] lastLogon: value = 0
[195] pwdLastSet: value = 129271402411406250
[195] primaryGroupID: value = 513
[195] objectSid: value = .............Q:<>o.On4...{ ..
[195] accountExpires: value = 9223372036854775807
[195] logonCount: value = 0
[195] sAMAccountName: value = kenobeadle
[195] sAMAccountType: value = 805306368
[195] showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[195] showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=CompanyPl
[195] legacyExchangeDN: value = /O=CompanyPl/OU=JacksonTN1 /cn=Recipi ents/cn=ke nobeadle
[195] userPrincipalName: value = kenobeadle@company.com
[195] objectCategory: value = CN=Person,CN=Schema,CN=Con figuration ,DC=compan y,DC=com
[195] lastLogonTimestamp: value = 129271402565000000
[195] textEncodedORAddress: value = c=US;a= ;p=CompanyPl;o=Atlanta01;s =Beadle;g= Keno;
[195] mail: value = Keno.Beadle@Companypgi.com
[195] msExchPoliciesIncluded: value = {7D9F9863-9593-44D3-9555-8 FCACF7A952 4},{26491C FC-9E50-48 57-861B-0C B8DF22B5D7 }
[195] msExchPoliciesIncluded: value = {5A5AFAD4-7498-403F-A395-9 9027179A26 2},{3B6813 EC-CE89-42 BA-9442-D8 7D4AA30DBC }
[195] msExchHomeServerName: value = /O=CompanyPl/OU=JacksonTN1 /cn=Config uration/cn =Servers/c n=TN1DX02
[195] msExchALObjectVersion: value = 48
[195] msExchMailboxSecurityDescr iptor: value = ....x.................d... .......... .......... ..:.3.2.6. 8......... .......... ....
[195] msExchUserAccountControl: value = 0
[195] msExchMailboxGuid: value = Q.....oB.B./Y...
[195] Fiber exit Tx=539 bytes Rx=4436 bytes, status=1
[195] Session End
--------
Debug on account that should not have access
[193] Session Start
[193] New request Session, context 0xce5d9018, reqType = Authentication
[193] Fiber started
[193] Creating LDAP context with uri=ldap://10.1.2.10:389
[193] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[193] supportedLDAPVersion: value = 3
[193] supportedLDAPVersion: value = 2
[193] Binding as Administrator
[193] Performing Simple authentication for Administrator to 10.1.2.10
[193] LDAP Search:
Base DN = [dc=company,dc=com]
Filter = [sAMAccountName=companyadm in]
Scope = [SUBTREE]
[193] User DN = [CN=Company Admin,CN=Users,DC=company, DC=com]
[193] Talking to Active Directory server 10.1.2.10
[193] Reading password policy for companyadmin, dn:CN=Company Admin,CN=Users,DC=company, DC=com
[193] Read bad password count 1
[193] Binding as companyadmin
[193] Performing Simple authentication for companyadmin to 10.1.2.10
[193] Processing LDAP response for user companyadmin
[193] Message (companyadmin):
[193] Authentication successful for companyadmin to 10.1.2.10
[193] Retrieved User Attributes:
[193] objectClass: value = top
[193] objectClass: value = person
[193] objectClass: value = organizationalPerson
[193] objectClass: value = user
[193] cn: value = Company Admin
[193] sn: value = Admin
[193] givenName: value = Company
[193] distinguishedName: value = CN=Company Admin,CN=Users,DC=company, DC=com
[193] instanceType: value = 4
[193] whenCreated: value = 20100212140801.0Z
[193] whenChanged: value = 20100823132031.0Z
[193] displayName: value = Company Admin
[193] uSNCreated: value = 626370567
[193] memberOf: value = CN=qad,CN=Users,DC=company ,DC=com
[193] mapped to IETF-Radius-Class: value = CN=qad,CN=Users,DC=company ,DC=com
[193] mapped to LDAP-Class: value = CN=qad,CN=Users,DC=company ,DC=com
[193] memberOf: value = CN=Wireless,CN=Users,DC=co mpany,DC=c om
[193] mapped to IETF-Radius-Class: value = CN=Wireless,CN=Users,DC=co mpany,DC=c om
[193] mapped to LDAP-Class: value = CN=Wireless,CN=Users,DC=co mpany,DC=c om
[193] memberOf: value = CN=Internet Users,CN=Users,DC=company, DC=com
[193] mapped to IETF-Radius-Class: value = CN=Internet Users,CN=Users,DC=company, DC=com
[193] mapped to LDAP-Class: value = CN=Internet Users,CN=Users,DC=company, DC=com
[193] memberOf: value = CN=VPN Users,CN=Users,DC=company, DC=com
[193] mapped to IETF-Radius-Class: value = CN=VPN Users,CN=Users,DC=company, DC=com
[193] mapped to LDAP-Class: value = CN=VPN Users,CN=Users,DC=company, DC=com
[193] memberOf: value = CN=Domain Admins,CN=Users,DC=company ,DC=com
[193] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=company ,DC=com
[193] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=company ,DC=com
[193] uSNChanged: value = 664037910
[193] name: value = Company Admin
[193] objectGUID: value = .l.....N.Z!O..R.
[193] userAccountControl: value = 66048
[193] badPwdCount: value = 1
[193] codePage: value = 0
[193] countryCode: value = 0
[193] badPasswordTime: value = 129273055381406250
[193] lastLogoff: value = 0
[193] lastLogon: value = 129270759310781250
[193] pwdLastSet: value = 129139075333281250
[193] primaryGroupID: value = 513
[193] objectSid: value = .............Q:<>o.On4...H ..
[193] adminCount: value = 1
[193] accountExpires: value = 9223372036854775807
[193] logonCount: value = 40
[193] sAMAccountName: value = companyadmin
[193] sAMAccountType: value = 805306368
[193] userPrincipalName: value = companyadmin@company.com
[193] lockoutTime: value = 0
[193] objectCategory: value = CN=Person,CN=Schema,CN=Con figuration ,DC=compan y,DC=com
[193] mSMQSignCertificates: value = ....LN...V0.:}f..?.#..c0.. .H.N./.r.4 ....0...0. .......... .ZU0...*.H .......0v1 .0..
[193] mSMQDigests: value = ...LC....A..y!..
[193] mSMQDigests: value = P........b...Z*2
[193] mSMQDigests: value = O..E..p1#.{....K
[193] mSMQDigests: value = .S.=..O......5.z
[193] mSMQDigests: value = \.Cv.wV. .|.....
[193] mSMQDigests: value = .O.t..]<...Y.Y..
[193] mSMQDigests: value = .'U..s.+[.~p.c.y
[193] mSMQDigests: value = LN...V0.:}f..?.#
[193] lastLogonTimestamp: value = 129268056962422521
[193] Fiber exit Tx=544 bytes Rx=6996 bytes, status=1
[193] Session End
ldap attribute-map ASA_MAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=ASA Users,OU=VPN,OU=Plants,DC=
aaa-server LDAP_Company_VPN protocol ldap
aaa-server LDAP_Company_VPN (INSIDE) host 10.1.2.10
server-port 389
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Comput
server-type microsoft
ldap-attribute-map ASA_MAP
group-policy COMPANY_VPN internal
group-policy COMPANY_VPN attributes
dns-server value 10.1.2.10 10.1.2.24
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value company.com
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group COMPANY_VPN type remote-access
tunnel-group COMPANY_VPN general-attributes
address-pool COMPANY_VPN_POOL
authentication-server-grou
default-group-policy COMPANY_VPN
tunnel-group COMPANY_VPN webvpn-attributes
group-alias COMPANY_VPN_users enable
-------
Debug on account that should have access
[195] Session Start
[195] New request Session, context 0xce5d9018, reqType = Authentication
[195] Fiber started
[195] Creating LDAP context with uri=ldap://10.1.2.10:389
[195] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[195] supportedLDAPVersion: value = 3
[195] supportedLDAPVersion: value = 2
[195] Binding as Administrator
[195] Performing Simple authentication for Administrator to 10.1.2.10
[195] LDAP Search:
Base DN = [dc=company,dc=com]
Filter = [sAMAccountName=kenobeadle
Scope = [SUBTREE]
[195] User DN = [CN=Keno Beadle,CN=Users,DC=company
[195] Talking to Active Directory server 10.1.2.10
[195] Reading password policy for kenobeadle, dn:CN=Keno Beadle,CN=Users,DC=company
[195] Read bad password count 0
[195] Binding as kenobeadle
[195] Performing Simple authentication for kenobeadle to 10.1.2.10
[195] Processing LDAP response for user kenobeadle
[195] Message (kenobeadle):
[195] Authentication successful for kenobeadle to 10.1.2.10
[195] Retrieved User Attributes:
[195] objectClass: value = top
[195] objectClass: value = person
[195] objectClass: value = organizationalPerson
[195] objectClass: value = user
[195] cn: value = Keno Beadle
[195] sn: value = Beadle
[195] givenName: value = Keno
[195] distinguishedName: value = CN=Keno Beadle,CN=Users,DC=company
[195] instanceType: value = 4
[195] whenCreated: value = 20100628133516.0Z
[195] whenChanged: value = 20100824162032.0Z
[195] displayName: value = Keno Beadle
[195] uSNCreated: value = 661752386
[195] memberOf: value = CN=ASA Users,OU=VPN,OU=Plants,DC=
[195] mapped to IETF-Radius-Class: value = COMPANY_VPN
[195] mapped to LDAP-Class: value = COMPANY_VPN
[195] uSNChanged: value = 664085514
[195] homeMTA: value = CN=Microsoft MTA,CN=TN1DX02,CN=Servers,
[195] proxyAddresses: value = smtp:KBeadle2@CompanyPl.co
[195] proxyAddresses: value = smtp:KBeadle2@CompanyPlast
[195] proxyAddresses: value = smtp:KBeadle2@Companypgi.c
[195] proxyAddresses: value = smtp:Keno.Beadle@Companypl
[195] proxyAddresses: value = X400:c=US;a= ;p=CompanyPl;o=Atlanta01;s
[195] proxyAddresses: value = SMTP:Keno.Beadle@Companypg
[195] homeMDB: value = CN=Mailbox Store (TN1DX02),CN=First Storage Group,CN=InformationStore,
[195] mDBUseDefaults: value = TRUE
[195] mailNickname: value = kenobeadle
[195] name: value = Keno Beadle
[195] objectGUID: value = /.F@..^F...v..H.
[195] userAccountControl: value = 66048
[195] badPwdCount: value = 0
[195] codePage: value = 0
[195] countryCode: value = 0
[195] badPasswordTime: value = 0
[195] lastLogoff: value = 0
[195] lastLogon: value = 0
[195] pwdLastSet: value = 129271402411406250
[195] primaryGroupID: value = 513
[195] objectSid: value = .............Q:<>o.On4...{
[195] accountExpires: value = 9223372036854775807
[195] logonCount: value = 0
[195] sAMAccountName: value = kenobeadle
[195] sAMAccountType: value = 805306368
[195] showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[195] showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=CompanyPl
[195] legacyExchangeDN: value = /O=CompanyPl/OU=JacksonTN1
[195] userPrincipalName: value = kenobeadle@company.com
[195] objectCategory: value = CN=Person,CN=Schema,CN=Con
[195] lastLogonTimestamp: value = 129271402565000000
[195] textEncodedORAddress: value = c=US;a= ;p=CompanyPl;o=Atlanta01;s
[195] mail: value = Keno.Beadle@Companypgi.com
[195] msExchPoliciesIncluded: value = {7D9F9863-9593-44D3-9555-8
[195] msExchPoliciesIncluded: value = {5A5AFAD4-7498-403F-A395-9
[195] msExchHomeServerName: value = /O=CompanyPl/OU=JacksonTN1
[195] msExchALObjectVersion: value = 48
[195] msExchMailboxSecurityDescr
[195] msExchUserAccountControl: value = 0
[195] msExchMailboxGuid: value = Q.....oB.B./Y...
[195] Fiber exit Tx=539 bytes Rx=4436 bytes, status=1
[195] Session End
--------
Debug on account that should not have access
[193] Session Start
[193] New request Session, context 0xce5d9018, reqType = Authentication
[193] Fiber started
[193] Creating LDAP context with uri=ldap://10.1.2.10:389
[193] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[193] supportedLDAPVersion: value = 3
[193] supportedLDAPVersion: value = 2
[193] Binding as Administrator
[193] Performing Simple authentication for Administrator to 10.1.2.10
[193] LDAP Search:
Base DN = [dc=company,dc=com]
Filter = [sAMAccountName=companyadm
Scope = [SUBTREE]
[193] User DN = [CN=Company Admin,CN=Users,DC=company,
[193] Talking to Active Directory server 10.1.2.10
[193] Reading password policy for companyadmin, dn:CN=Company Admin,CN=Users,DC=company,
[193] Read bad password count 1
[193] Binding as companyadmin
[193] Performing Simple authentication for companyadmin to 10.1.2.10
[193] Processing LDAP response for user companyadmin
[193] Message (companyadmin):
[193] Authentication successful for companyadmin to 10.1.2.10
[193] Retrieved User Attributes:
[193] objectClass: value = top
[193] objectClass: value = person
[193] objectClass: value = organizationalPerson
[193] objectClass: value = user
[193] cn: value = Company Admin
[193] sn: value = Admin
[193] givenName: value = Company
[193] distinguishedName: value = CN=Company Admin,CN=Users,DC=company,
[193] instanceType: value = 4
[193] whenCreated: value = 20100212140801.0Z
[193] whenChanged: value = 20100823132031.0Z
[193] displayName: value = Company Admin
[193] uSNCreated: value = 626370567
[193] memberOf: value = CN=qad,CN=Users,DC=company
[193] mapped to IETF-Radius-Class: value = CN=qad,CN=Users,DC=company
[193] mapped to LDAP-Class: value = CN=qad,CN=Users,DC=company
[193] memberOf: value = CN=Wireless,CN=Users,DC=co
[193] mapped to IETF-Radius-Class: value = CN=Wireless,CN=Users,DC=co
[193] mapped to LDAP-Class: value = CN=Wireless,CN=Users,DC=co
[193] memberOf: value = CN=Internet Users,CN=Users,DC=company,
[193] mapped to IETF-Radius-Class: value = CN=Internet Users,CN=Users,DC=company,
[193] mapped to LDAP-Class: value = CN=Internet Users,CN=Users,DC=company,
[193] memberOf: value = CN=VPN Users,CN=Users,DC=company,
[193] mapped to IETF-Radius-Class: value = CN=VPN Users,CN=Users,DC=company,
[193] mapped to LDAP-Class: value = CN=VPN Users,CN=Users,DC=company,
[193] memberOf: value = CN=Domain Admins,CN=Users,DC=company
[193] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=company
[193] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=company
[193] uSNChanged: value = 664037910
[193] name: value = Company Admin
[193] objectGUID: value = .l.....N.Z!O..R.
[193] userAccountControl: value = 66048
[193] badPwdCount: value = 1
[193] codePage: value = 0
[193] countryCode: value = 0
[193] badPasswordTime: value = 129273055381406250
[193] lastLogoff: value = 0
[193] lastLogon: value = 129270759310781250
[193] pwdLastSet: value = 129139075333281250
[193] primaryGroupID: value = 513
[193] objectSid: value = .............Q:<>o.On4...H
[193] adminCount: value = 1
[193] accountExpires: value = 9223372036854775807
[193] logonCount: value = 40
[193] sAMAccountName: value = companyadmin
[193] sAMAccountType: value = 805306368
[193] userPrincipalName: value = companyadmin@company.com
[193] lockoutTime: value = 0
[193] objectCategory: value = CN=Person,CN=Schema,CN=Con
[193] mSMQSignCertificates: value = ....LN...V0.:}f..?.#..c0..
[193] mSMQDigests: value = ...LC....A..y!..
[193] mSMQDigests: value = P........b...Z*2
[193] mSMQDigests: value = O..E..p1#.{....K
[193] mSMQDigests: value = .S.=..O......5.z
[193] mSMQDigests: value = \.Cv.wV. .|.....
[193] mSMQDigests: value = .O.t..]<...Y.Y..
[193] mSMQDigests: value = .'U..s.+[.~p.c.y
[193] mSMQDigests: value = LN...V0.:}f..?.#
[193] lastLogonTimestamp: value = 129268056962422521
[193] Fiber exit Tx=544 bytes Rx=6996 bytes, status=1
[193] Session End
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have not been able to make this work with LDAP in my lab and I have yet to find a document to allow this to work. If I use LDAP then I have been using an OU instead of a group to allow only specific people to access the VPN. If you truly want to use a specific group I would recommend using Radius which is easily done using IAS in a windows server.
Regards,
3nerds