Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA SSL VPN DAP and use of ldap.memberOf against AD

Posted on 2012-04-09
1
Medium Priority
?
2,014 Views
Last Modified: 2012-04-10
I've run into difficulties getting ASA DAP to work against AD. I'm trying to use DAP to build ACLs associated with AD group membership. I've set up an AAA server for AD LDAP, can run the auth and authorizations tests successfully and when configuring DAP policies it successfully retrieves AD groups. When I create a DAP policy using the ldap.memberOf attribute for an LDAP group, the DAP is never applied for users I know are members. The odd thing is, if I change the DAP attribute condition to be "User has NONE of the AAA attribute values" the DAP does match. I would even expect to see LDAP debug output when DAP is evaluating the policies, but all I get back is DAP debut output with no rules matched. As a result the user cannot log in.

What is the trick to get DAP work with ldap.memberOf for AD groups?

Some supporting info:
Authorization test output for my ID. Note that the DAP policy with the highest priority uses memberOf=IT in my test:
 
[256]              memberOf: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to IETF-Radius-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to LDAP-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx

DAP output that results when I attempt to log in (Radius authentication succeeds btw):
AP_TRACE: DAP_open: AF4A34D8
DAP_TRACE: Username: itadmin, aaa.radius["6"]["1"] = 6
DAP_TRACE: Username: itadmin, aaa.radius["25"]["1"] = ....
DAP_TRACE: Username: itadmin, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: itadmin, aaa.cisco.username = itadmin
DAP_TRACE: Username: itadmin, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="6"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="itadmin"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: Username: itadmin, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 33%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: itadmin, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: itadmin, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: itadmin, DAP_close: AF4A34D8
0
Comment
Question by:sanssome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
sanssome earned 0 total points
ID: 37829055
Solved the problem myself. Needed to set tunnel-group authorization to LDAP. By default it was using radius since auth was set to radius.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question