Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA SSL VPN DAP and use of ldap.memberOf against AD

Posted on 2012-04-09
1
Medium Priority
?
2,076 Views
Last Modified: 2012-04-10
I've run into difficulties getting ASA DAP to work against AD. I'm trying to use DAP to build ACLs associated with AD group membership. I've set up an AAA server for AD LDAP, can run the auth and authorizations tests successfully and when configuring DAP policies it successfully retrieves AD groups. When I create a DAP policy using the ldap.memberOf attribute for an LDAP group, the DAP is never applied for users I know are members. The odd thing is, if I change the DAP attribute condition to be "User has NONE of the AAA attribute values" the DAP does match. I would even expect to see LDAP debug output when DAP is evaluating the policies, but all I get back is DAP debut output with no rules matched. As a result the user cannot log in.

What is the trick to get DAP work with ldap.memberOf for AD groups?

Some supporting info:
Authorization test output for my ID. Note that the DAP policy with the highest priority uses memberOf=IT in my test:
 
[256]              memberOf: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to IETF-Radius-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to LDAP-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx

DAP output that results when I attempt to log in (Radius authentication succeeds btw):
AP_TRACE: DAP_open: AF4A34D8
DAP_TRACE: Username: itadmin, aaa.radius["6"]["1"] = 6
DAP_TRACE: Username: itadmin, aaa.radius["25"]["1"] = ....
DAP_TRACE: Username: itadmin, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: itadmin, aaa.cisco.username = itadmin
DAP_TRACE: Username: itadmin, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="6"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="itadmin"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: Username: itadmin, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 33%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: itadmin, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: itadmin, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: itadmin, DAP_close: AF4A34D8
0
Comment
Question by:sanssome
1 Comment
 

Accepted Solution

by:
sanssome earned 0 total points
ID: 37829055
Solved the problem myself. Needed to set tunnel-group authorization to LDAP. By default it was using radius since auth was set to radius.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question