Ok so I have been beating my head on ASA to LDAP auth (temporary fix till my client spins up RADIUS) but thanks to the great LDAP group at Cisco TAC I”m up and working. The piont of this post is to take what we tend to know about LDAP client configs and adjust it for what Cisco has setup in PIX IOS 8.
Our config:
- LDAP: OSX OpenDirector (Open LDAP in PIX IOS 8 )
- ASA 5540 in Active/Standby failover
- LDAP server in on the Inside of the ASA
BASE DN: For the most part this is what you would expect it to be. But in most of the clients I have used the Base DN is either appended automatically or you can choose to append it to your login DN, thus shortening your login DN entry. When you talk to TAC they say that your BASE DN is automatically appended to your login. Well N thats wrong. What the ASA uses the BASE DN for is the place that it starts its tree walk for Authentication or Authorization credentials only not where it looks for the BASE of it’s own credentials.
So what should you use for the BASE DN, well your BASE DN of course. So now your saying this guy is an idiot that not special at all. Well look below at what you need to use for your login DN and if that doesn’t clear things up then maybe I am an idiot.
Login DN: Normally you can stick to uid=”username”,cn=users for your login DN. But in the case of the ASA client you need to use the full login path including the base, so something like this; uid=”username”,cn=users,dc=DMS,dc=staticnat,dc=com
Another thing that seems to be unknown to TAC is whether when peforming your Auth test from the ASDM console you should use uid=”username” or just “username”. Well I have the skinny on that to, just use “username”.
The final snippet if info I have to offer on the LDAP front has to do with people who were unable to get their “asa” user to bind to the directory if it was not located withing the BASE DN. Cisco is aware of this and has patched their code. I have no idea if that patch is part of the engineering release I have or if it part of the current Pix IOS 8 ED that is available for download. I have an email out asking that question now and I hope to have an update by the end of the day. If you have any questions feel free to post to comments or email:
Josh, this is an excelletn post…You can find a sample config @ my website (http://6200networks.com/?p=25)…Keep up the great work man.
-Joe
Quick question for you, I am trying to limit my LDAP authentication to a specific group in OS X OpenDirectory (10.5.5), but I can’t seem to do it…did you have any luck with this?
Thanks Greg! He provided the following link as a follow up to our off-line conversation.
http://209.85.135.104/translate_c?hl=en&sl=fr&tl=en&u=http://pm.itguys.fr/blog/tags/asa/&usg=ALkJrhj0dOIxqsafNO8RSkeKrUNxzasSeQ
Plus he has an open TAC case and has offered to share his results.
So, as I mentioned in email, I got the 1 in 5 at Cisco TAC. In my last real job, we had a chart of companies and their tech support. Something like:
Cisco – 1 in 5 actually knew something
Sun – 1 in 10 actually knew something
Salesforce – 1 in 100 actually knew something
RedHat – Yeah, good luck
Anyway, for the details….I have tested this on my home setup and it works great…
Essentially if you follow the direction on the link above and then issue the following at a config t prompt:
Group-policy noconnection internal
group-policy noconnection attributes
vpn-simultaneous-logins 0
exit
tunnel-group <> general-attributes
no default-group-policy <>
default-group-policy noconnection
*The lines above will switch the default group policy on the <> group to be noconnection which prevents access to the ASA for users that do not have a gidNumber equals to the gidNumber you set.
Hi All
I know this is an old post, I was hoping for some help on the LDAP attribute map?
ldap attribute-map MAP
map-name groupMembership IETF-Radius-Class
map-value groupMembership cn=,o= vpn
aaa-server NOV-LDAP protocol ldap
aaa-server NOV-LDAP (inside) host
ldap-base-dn o=
ldap-scope subtree
ldap-naming-attribute uniqueID
server-type novell
ldap-attribute-map MAP
group-policy novpnaccess internal
group-policy novpnaccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool vpn
authentication-server-group NOV-LDAP
authorization-server-group NOV-LDAP
default-group-policy novpnaccess
The problem I am having is all users are being authenicated and not just the users in the in the LDAP attribute map.
Regards Craig