Solved

ASA SSL VPN DAP and use of ldap.memberOf against AD

Posted on 2012-04-09
1
1,891 Views
Last Modified: 2012-04-10
I've run into difficulties getting ASA DAP to work against AD. I'm trying to use DAP to build ACLs associated with AD group membership. I've set up an AAA server for AD LDAP, can run the auth and authorizations tests successfully and when configuring DAP policies it successfully retrieves AD groups. When I create a DAP policy using the ldap.memberOf attribute for an LDAP group, the DAP is never applied for users I know are members. The odd thing is, if I change the DAP attribute condition to be "User has NONE of the AAA attribute values" the DAP does match. I would even expect to see LDAP debug output when DAP is evaluating the policies, but all I get back is DAP debut output with no rules matched. As a result the user cannot log in.

What is the trick to get DAP work with ldap.memberOf for AD groups?

Some supporting info:
Authorization test output for my ID. Note that the DAP policy with the highest priority uses memberOf=IT in my test:
 
[256]              memberOf: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to IETF-Radius-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx
[256]                     mapped to LDAP-Class: value = CN=IT,CN=Users,DC=corp,DC=xxxx

DAP output that results when I attempt to log in (Radius authentication succeeds btw):
AP_TRACE: DAP_open: AF4A34D8
DAP_TRACE: Username: itadmin, aaa.radius["6"]["1"] = 6
DAP_TRACE: Username: itadmin, aaa.radius["25"]["1"] = ....
DAP_TRACE: Username: itadmin, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: itadmin, aaa.cisco.username = itadmin
DAP_TRACE: Username: itadmin, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="6"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="itadmin"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: Username: itadmin, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 33%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: itadmin, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: itadmin, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: itadmin, DAP_close: AF4A34D8
0
Comment
Question by:sanssome
1 Comment
 

Accepted Solution

by:
sanssome earned 0 total points
ID: 37829055
Solved the problem myself. Needed to set tunnel-group authorization to LDAP. By default it was using radius since auth was set to radius.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Creating a Vendor Admin user 23 53
Cisco 3560 Switch with Multiple Gateways 10 68
Inactive computer in domain 7 64
Migrate GPO Forest to Forest 4 15
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question