Solved

ASA SSL VPN DAP and use of ldap.memberOf against AD

Posted on 2012-04-09
1
1,906 Views
Last Modified: 2012-04-10
I've run into difficulties getting ASA DAP to work against AD. I'm trying to use DAP to build ACLs associated with AD group membership. I've set up an AAA server for AD LDAP, can run the auth and authorizations tests successfully and when configuring DAP policies it successfully retrieves AD groups. When I create a DAP policy using the ldap.memberOf attribute for an LDAP group, the DAP is never applied for users I know are members. The odd thing is, if I change the DAP attribute condition to be "User has NONE of the AAA attribute values" the DAP does match. I would even expect to see LDAP debug output when DAP is evaluating the policies, but all I get back is DAP debut output with no rules matched. As a result the user cannot log in.

What is the trick to get DAP work with ldap.memberOf for AD groups?

Some supporting info:
Authorization test output for my ID. Note that the DAP policy with the highest priority uses memberOf=IT in my test:
 
[256]              memberOf: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to IETF-Radius-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to LDAP-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx

DAP output that results when I attempt to log in (Radius authentication succeeds btw):
AP_TRACE: DAP_open: AF4A34D8
DAP_TRACE: Username: itadmin, aaa.radius["6"]["1"] = 6
DAP_TRACE: Username: itadmin, aaa.radius["25"]["1"] = ....
DAP_TRACE: Username: itadmin, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: itadmin, aaa.cisco.username = itadmin
DAP_TRACE: Username: itadmin, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="6"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="itadmin"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: Username: itadmin, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 33%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: itadmin, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: itadmin, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: itadmin, DAP_close: AF4A34D8
0
Comment
Question by:sanssome
1 Comment
 

Accepted Solution

by:
sanssome earned 0 total points
ID: 37829055
Solved the problem myself. Needed to set tunnel-group authorization to LDAP. By default it was using radius since auth was set to radius.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question