Solved

ASA 5510 LDAP group authentication

Posted on 2010-08-26
2
2,862 Views
Last Modified: 2012-05-10
I have setup anyconnect to authenticate to AD using LDAP.  This works so well that it authenticates all users in the domain.  I am looking to only authenticate users that are members of the VPN group (ASA Users).  I have setup LDAP attribute-map but still is not filtering users that are members of the group specified.  I have read online to change the group-policy DfltGrpPolicy attributes vpn-simultaneous-logins to 0.  When I do this, no one is authenticated.  Below I have pasted the config that is relavent to the vpn and LDAP server.  I have also include debugs for one account that is a member of the ASA Users, and a debug of a user that is not a member of ASA Users.  Any help would be appreciated as I have been researching this for the last day and a half.  Thanks in advance

ldap attribute-map ASA_MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=ASA Users,OU=VPN,OU=Plants,DC=company,DC=com" COMPANY_VPN
aaa-server LDAP_Company_VPN protocol ldap
aaa-server LDAP_Company_VPN (INSIDE) host 10.1.2.10
 server-port 389
 ldap-base-dn dc=company,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Computers,DC=company,DC=com
 server-type microsoft
 ldap-attribute-map ASA_MAP
group-policy COMPANY_VPN internal
group-policy COMPANY_VPN attributes
 dns-server value 10.1.2.10 10.1.2.24
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value company.com
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
tunnel-group COMPANY_VPN type remote-access
tunnel-group COMPANY_VPN general-attributes
 address-pool COMPANY_VPN_POOL
 authentication-server-group LDAP_Company_VPN
 default-group-policy COMPANY_VPN
tunnel-group COMPANY_VPN webvpn-attributes
 group-alias COMPANY_VPN_users enable

-------
Debug on account that should have access

[195] Session Start
[195] New request Session, context 0xce5d9018, reqType = Authentication
[195] Fiber started
[195] Creating LDAP context with uri=ldap://10.1.2.10:389
[195] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[195] supportedLDAPVersion: value = 3
[195] supportedLDAPVersion: value = 2
[195] Binding as Administrator
[195] Performing Simple authentication for Administrator to 10.1.2.10
[195] LDAP Search:
        Base DN = [dc=company,dc=com]
        Filter  = [sAMAccountName=kenobeadle]
        Scope   = [SUBTREE]
[195] User DN = [CN=Keno Beadle,CN=Users,DC=company,DC=com]
[195] Talking to Active Directory server 10.1.2.10
[195] Reading password policy for kenobeadle, dn:CN=Keno Beadle,CN=Users,DC=company,DC=com
[195] Read bad password count 0
[195] Binding as kenobeadle
[195] Performing Simple authentication for kenobeadle to 10.1.2.10
[195] Processing LDAP response for user kenobeadle
[195] Message (kenobeadle):
[195] Authentication successful for kenobeadle to 10.1.2.10
[195] Retrieved User Attributes:
[195]   objectClass: value = top
[195]   objectClass: value = person
[195]   objectClass: value = organizationalPerson
[195]   objectClass: value = user
[195]   cn: value = Keno Beadle
[195]   sn: value = Beadle
[195]   givenName: value = Keno
[195]   distinguishedName: value = CN=Keno Beadle,CN=Users,DC=company,DC=com
[195]   instanceType: value = 4
[195]   whenCreated: value = 20100628133516.0Z
[195]   whenChanged: value = 20100824162032.0Z
[195]   displayName: value = Keno Beadle
[195]   uSNCreated: value = 661752386
[195]   memberOf: value = CN=ASA Users,OU=VPN,OU=Plants,DC=company,DC=com
[195]           mapped to IETF-Radius-Class: value = COMPANY_VPN
[195]           mapped to LDAP-Class: value = COMPANY_VPN
[195]   uSNChanged: value = 664085514
[195]   homeMTA: value = CN=Microsoft MTA,CN=TN1DX02,CN=Servers,CN=JacksonTN1,CN=Administrative Groups,CN
[195]   proxyAddresses: value = smtp:KBeadle2@CompanyPl.com
[195]   proxyAddresses: value = smtp:KBeadle2@CompanyPlasticsGroup.com
[195]   proxyAddresses: value = smtp:KBeadle2@Companypgi.com
[195]   proxyAddresses: value = smtp:Keno.Beadle@Companyplasticsgroup.com
[195]   proxyAddresses: value = X400:c=US;a= ;p=CompanyPl;o=Atlanta01;s=Beadle;g=Keno;
[195]   proxyAddresses: value = SMTP:Keno.Beadle@Companypgi.com
[195]   homeMDB: value = CN=Mailbox Store (TN1DX02),CN=First Storage Group,CN=InformationStore,CN=TN1DX02
[195]   mDBUseDefaults: value = TRUE
[195]   mailNickname: value = kenobeadle
[195]   name: value = Keno Beadle
[195]   objectGUID: value = /.F@..^F...v..H.
[195]   userAccountControl: value = 66048
[195]   badPwdCount: value = 0
[195]   codePage: value = 0
[195]   countryCode: value = 0
[195]   badPasswordTime: value = 0
[195]   lastLogoff: value = 0
[195]   lastLogon: value = 0
[195]   pwdLastSet: value = 129271402411406250
[195]   primaryGroupID: value = 513
[195]   objectSid: value = .............Q:<>o.On4...{..
[195]   accountExpires: value = 9223372036854775807
[195]   logonCount: value = 0
[195]   sAMAccountName: value = kenobeadle
[195]   sAMAccountType: value = 805306368
[195]   showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont
[195]   showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=CompanyPl
[195]   legacyExchangeDN: value = /O=CompanyPl/OU=JacksonTN1/cn=Recipients/cn=kenobeadle
[195]   userPrincipalName: value = kenobeadle@company.com
[195]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=com
[195]   lastLogonTimestamp: value = 129271402565000000
[195]   textEncodedORAddress: value = c=US;a= ;p=CompanyPl;o=Atlanta01;s=Beadle;g=Keno;
[195]   mail: value = Keno.Beadle@Companypgi.com
[195]   msExchPoliciesIncluded: value = {7D9F9863-9593-44D3-9555-8FCACF7A9524},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
[195]   msExchPoliciesIncluded: value = {5A5AFAD4-7498-403F-A395-99027179A262},{3B6813EC-CE89-42BA-9442-D87D4AA30DBC}
[195]   msExchHomeServerName: value = /O=CompanyPl/OU=JacksonTN1/cn=Configuration/cn=Servers/cn=TN1DX02
[195]   msExchALObjectVersion: value = 48
[195]   msExchMailboxSecurityDescriptor: value = ....x.................d.........................:.3.2.6.8.......................
[195]   msExchUserAccountControl: value = 0
[195]   msExchMailboxGuid: value = Q.....oB.B./Y...
[195] Fiber exit Tx=539 bytes Rx=4436 bytes, status=1
[195] Session End

--------
Debug on account that should not have access

[193] Session Start
[193] New request Session, context 0xce5d9018, reqType = Authentication
[193] Fiber started
[193] Creating LDAP context with uri=ldap://10.1.2.10:389
[193] Connect to LDAP server: ldap://10.1.2.10:389, status = Successful
[193] supportedLDAPVersion: value = 3
[193] supportedLDAPVersion: value = 2
[193] Binding as Administrator
[193] Performing Simple authentication for Administrator to 10.1.2.10
[193] LDAP Search:
        Base DN = [dc=company,dc=com]
        Filter  = [sAMAccountName=companyadmin]
        Scope   = [SUBTREE]
[193] User DN = [CN=Company Admin,CN=Users,DC=company,DC=com]
[193] Talking to Active Directory server 10.1.2.10
[193] Reading password policy for companyadmin, dn:CN=Company Admin,CN=Users,DC=company,DC=com
[193] Read bad password count 1
[193] Binding as companyadmin
[193] Performing Simple authentication for companyadmin to 10.1.2.10
[193] Processing LDAP response for user companyadmin
[193] Message (companyadmin):
[193] Authentication successful for companyadmin to 10.1.2.10
[193] Retrieved User Attributes:
[193]   objectClass: value = top
[193]   objectClass: value = person
[193]   objectClass: value = organizationalPerson
[193]   objectClass: value = user
[193]   cn: value = Company Admin
[193]   sn: value = Admin
[193]   givenName: value = Company
[193]   distinguishedName: value = CN=Company Admin,CN=Users,DC=company,DC=com
[193]   instanceType: value = 4
[193]   whenCreated: value = 20100212140801.0Z
[193]   whenChanged: value = 20100823132031.0Z
[193]   displayName: value = Company Admin
[193]   uSNCreated: value = 626370567
[193]   memberOf: value = CN=qad,CN=Users,DC=company,DC=com
[193]           mapped to IETF-Radius-Class: value = CN=qad,CN=Users,DC=company,DC=com
[193]           mapped to LDAP-Class: value = CN=qad,CN=Users,DC=company,DC=com
[193]   memberOf: value = CN=Wireless,CN=Users,DC=company,DC=com
[193]           mapped to IETF-Radius-Class: value = CN=Wireless,CN=Users,DC=company,DC=com
[193]           mapped to LDAP-Class: value = CN=Wireless,CN=Users,DC=company,DC=com
[193]   memberOf: value = CN=Internet Users,CN=Users,DC=company,DC=com
[193]           mapped to IETF-Radius-Class: value = CN=Internet Users,CN=Users,DC=company,DC=com
[193]           mapped to LDAP-Class: value = CN=Internet Users,CN=Users,DC=company,DC=com
[193]   memberOf: value = CN=VPN Users,CN=Users,DC=company,DC=com
[193]           mapped to IETF-Radius-Class: value = CN=VPN Users,CN=Users,DC=company,DC=com
[193]           mapped to LDAP-Class: value = CN=VPN Users,CN=Users,DC=company,DC=com
[193]   memberOf: value = CN=Domain Admins,CN=Users,DC=company,DC=com
[193]           mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=company,DC=com
[193]           mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=company,DC=com
[193]   uSNChanged: value = 664037910
[193]   name: value = Company Admin
[193]   objectGUID: value = .l.....N.Z!O..R.
[193]   userAccountControl: value = 66048
[193]   badPwdCount: value = 1
[193]   codePage: value = 0
[193]   countryCode: value = 0
[193]   badPasswordTime: value = 129273055381406250
[193]   lastLogoff: value = 0
[193]   lastLogon: value = 129270759310781250
[193]   pwdLastSet: value = 129139075333281250
[193]   primaryGroupID: value = 513
[193]   objectSid: value = .............Q:<>o.On4...H..
[193]   adminCount: value = 1
[193]   accountExpires: value = 9223372036854775807
[193]   logonCount: value = 40
[193]   sAMAccountName: value = companyadmin
[193]   sAMAccountType: value = 805306368
[193]   userPrincipalName: value = companyadmin@company.com
[193]   lockoutTime: value = 0
[193]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=com
[193]   mSMQSignCertificates: value = ....LN...V0.:}f..?.#..c0...H.N./.r.4....0...0............ZU0...*.H.......0v1.0..
[193]   mSMQDigests: value = ...LC....A..y!..
[193]   mSMQDigests: value = P........b...Z*2
[193]   mSMQDigests: value = O..E..p1#.{....K
[193]   mSMQDigests: value = .S.=..O......5.z
[193]   mSMQDigests: value = \.Cv.wV. .|.....
[193]   mSMQDigests: value = .O.t..]<...Y.Y..
[193]   mSMQDigests: value = .'U..s.+[.~p.c.y
[193]   mSMQDigests: value = LN...V0.:}f..?.#
[193]   lastLogonTimestamp: value = 129268056962422521
[193] Fiber exit Tx=544 bytes Rx=6996 bytes, status=1
[193] Session End
0
Comment
Question by:Kenoboy
2 Comments
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Kenoboy,

I have not been able to make this work with LDAP in my lab and I have yet to find a document to allow this to work. If I use LDAP then I have been using an OU instead of a group to allow only specific people to access the VPN. If you truly want to use a specific group I would recommend using Radius which is easily done using IAS in a windows server.

Regards,

3nerds
0
 

Accepted Solution

by:
Kenoboy earned 0 total points
Comment Utility
I figured it out!
With the LDAP configuration it will authenticate anyone that is in your AD structure allowing them access to the VPN.  You should use dAP (dynamic access policy) to allow certain groups to gain access to the VPN.   You need to create a dAP for the group/groups you want to allow access, then deny the default group (DfltAccessPolicy) access.  This would be done by issues the command under the default policy of action terminate.  Below are the lines of config I enterend to get this to work.

dynamic-access-policy-record DfltAccessPolicy
 action terminate
 webvpn
  svc ask none default svc
dynamic-access-policy-record COMPANY_VPN
 description "Company_VPN_Users"
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now