Solved

ASA SSL VPN DAP and use of ldap.memberOf against AD

Posted on 2012-04-09
1
1,965 Views
Last Modified: 2012-04-10
I've run into difficulties getting ASA DAP to work against AD. I'm trying to use DAP to build ACLs associated with AD group membership. I've set up an AAA server for AD LDAP, can run the auth and authorizations tests successfully and when configuring DAP policies it successfully retrieves AD groups. When I create a DAP policy using the ldap.memberOf attribute for an LDAP group, the DAP is never applied for users I know are members. The odd thing is, if I change the DAP attribute condition to be "User has NONE of the AAA attribute values" the DAP does match. I would even expect to see LDAP debug output when DAP is evaluating the policies, but all I get back is DAP debut output with no rules matched. As a result the user cannot log in.

What is the trick to get DAP work with ldap.memberOf for AD groups?

Some supporting info:
Authorization test output for my ID. Note that the DAP policy with the highest priority uses memberOf=IT in my test:
 
[256]              memberOf: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to IETF-Radius-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to LDAP-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx

DAP output that results when I attempt to log in (Radius authentication succeeds btw):
AP_TRACE: DAP_open: AF4A34D8
DAP_TRACE: Username: itadmin, aaa.radius["6"]["1"] = 6
DAP_TRACE: Username: itadmin, aaa.radius["25"]["1"] = ....
DAP_TRACE: Username: itadmin, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: itadmin, aaa.cisco.username = itadmin
DAP_TRACE: Username: itadmin, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="6"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="itadmin"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: Username: itadmin, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 33%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: itadmin, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: itadmin, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: itadmin, DAP_close: AF4A34D8
0
Comment
Question by:sanssome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
sanssome earned 0 total points
ID: 37829055
Solved the problem myself. Needed to set tunnel-group authorization to LDAP. By default it was using radius since auth was set to radius.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question