ASA LDAP Auth the nice and easy way.

Ok so I have been beating my head on ASA to LDAP auth (temporary fix till my client spins up RADIUS) but thanks to the great LDAP group at Cisco TAC I”m up and working. The piont of this post is to take what we tend to know about LDAP client configs and adjust it for what Cisco has setup in PIX IOS 8.

Our config:

  • LDAP: OSX OpenDirector (Open LDAP in PIX IOS 8 )
  • ASA 5540 in Active/Standby failover
  • LDAP server in on the Inside of the ASA

BASE DN: For the most part this is what you would expect it to be. But in most of the clients I have used the Base DN is either appended automatically or you can choose to append it to your login DN, thus shortening your login DN entry. When you talk to TAC they say that your BASE DN is automatically appended to your login. Well N thats wrong. What the ASA uses the BASE DN for is the place that it starts its tree walk for Authentication or Authorization credentials only not where it looks for the BASE of it’s own credentials.

So what should you use for the BASE DN, well your BASE DN of course. So now your saying this guy is an idiot that not special at all. Well look below at what you need to use for your login DN and if that doesn’t clear things up then maybe I am an idiot.

Login DN: Normally you can stick to uid=”username”,cn=users for your login DN. But in the case of the ASA client you need to use the full login path including the base, so something like this; uid=”username”,cn=users,dc=DMS,dc=staticnat,dc=com

Another thing that seems to be unknown to TAC is whether when peforming your Auth test from the ASDM console you should use uid=”username” or just “username”. Well I have the skinny on that to, just use “username”.

The final snippet if info I have to offer on the LDAP front has to do with people who were unable to get their “asa” user to bind to the directory if it was not located withing the BASE DN. Cisco is aware of this and has patched their code. I have no idea if that patch is part of the engineering release I have or if it part of the current Pix IOS 8 ED that is available for download. I have an email out asking that question now and I hope to have an update by the end of the day. If you have any questions feel free to post to comments or email: Email Image


  1. gmsmith says:

    Quick question for you, I am trying to limit my LDAP authentication to a specific group in OS X OpenDirectory (10.5.5), but I can’t seem to do it…did you have any luck with this?

  2. gmsmith says:

    So, as I mentioned in email, I got the 1 in 5 at Cisco TAC. In my last real job, we had a chart of companies and their tech support. Something like:

    Cisco – 1 in 5 actually knew something
    Sun – 1 in 10 actually knew something
    Salesforce – 1 in 100 actually knew something
    RedHat – Yeah, good luck

    Anyway, for the details….I have tested this on my home setup and it works great…

    Essentially if you follow the direction on the link above and then issue the following at a config t prompt:

    Group-policy noconnection internal

    group-policy noconnection attributes

    vpn-simultaneous-logins 0


    tunnel-group <> general-attributes

    no default-group-policy <>

    default-group-policy noconnection

    *The lines above will switch the default group policy on the <> group to be noconnection which prevents access to the ASA for users that do not have a gidNumber equals to the gidNumber you set.

  3. Craig says:

    Hi All

    I know this is an old post, I was hoping for some help on the LDAP attribute map?

    ldap attribute-map MAP
    map-name groupMembership IETF-Radius-Class
    map-value groupMembership cn=,o= vpn

    aaa-server NOV-LDAP protocol ldap
    aaa-server NOV-LDAP (inside) host
    ldap-base-dn o=
    ldap-scope subtree
    ldap-naming-attribute uniqueID
    server-type novell
    ldap-attribute-map MAP

    group-policy novpnaccess internal
    group-policy novpnaccess attributes
    vpn-simultaneous-logins 0
    vpn-tunnel-protocol IPSec

    tunnel-group Remote type remote-access
    tunnel-group Remote general-attributes
    address-pool vpn
    authentication-server-group NOV-LDAP
    authorization-server-group NOV-LDAP
    default-group-policy novpnaccess

    The problem I am having is all users are being authenicated and not just the users in the in the LDAP attribute map.

    Regards Craig

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.