[c-nsp] Quick (?) ASA VPN w/AD question...

Ryan West rwest at zyedge.com
Mon Jan 30 17:16:52 EST 2012 

Jeff,

On Mon, Jan 30, 2012 at 16:41:00, Jeff Kell wrote:
> Subject: [c-nsp] Quick (?) ASA VPN w/AD question...
> 
> Trying to break some new ground on ASA 8.4(2) VPN configuration (quite 
> a number of
> changes....)
> 
> Need to map AD group membership onto a group policy selection.
> 
> (1) Previous examples are using the Cisco name "IETF-Radius-Class" to 
> map into the policy name, while 8.4(2) seems to want "Group Policy" 
> saying that replaces IETF-Radius-Class.
> 
> (2) You can now specify a "Group Base DN" for the group membership 
> location, so I have a "OU=Groups,DC=our,DC=domain,DC=specification".
> 
> I don't seem to be getting hits on the group membership (memberOf) on 
> any
> of:
> 
> a) plain old group name (FOOBAR),
> b) qualified item name (CN=FOOBAR),
> c) fully-qualified group name
> (CM=FOOBAR,OU=Groups,DC=our,DC=domain,DC=specification)
> 
> Anyone crossed this bridge and kept notes they could share?

I have a fair amount of notes on 8.4.1 and below.  I didn't see anything in the release notes for 8.4.2 that hinted to a change in LDAP.  Unless I'm confusing it with another option, the group base dn is where the search for your users starts.  Unless you're using DAP, the matching is still in the traditional LDAP map.  I've found the easiest way to find the proper groups is to start with login at domain.local/com/whatever and password and query a username for authorization.  Here's an example:

aaa-server LDAP (inside) host 192.168.168.168
 ldap-base-dn OU=Foo,DC=test,DC=local
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn CN=ldapadmin,OU=Foo,DC=test,DC=local  	(ldapadmin at test.local also works)
 server-type auto-detect
 ldap-attribute-map memberOf
!
test-fw1# debug ldap 255
debug ldap  enabled at level 255
test-fw1# show run ldap
ldap attribute-map department
ldap attribute-map memberOf
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=cust1-test,OU=Foo,DC=test,DC=local" cust1-test
  map-value memberOf "CN=vpn_users,OU=Foo,DC=test,DC=local" work
test-fw1# test aaa autho LDAP host 192.168.168.168 username rwest
INFO: Attempting Authorization test to IP address <192.168.168.168> (timeout: 12 seconds)
.
.
.
[68587]         memberOf: value = CN=cust1-test,OU=Foo,DC=test,DC=local
[68587]                 mapped to IETF-Radius-Class: value = cust1-test
[68587]                 mapped to LDAP-Class: value = cust1-test
[68587]         memberOf: value = CN=vpn_users,OU=Foo,DC=test,DC=local
[68587]                 mapped to IETF-Radius-Class: value = work
[68587]                 mapped to LDAP-Class: value = work

A couple of caveats on the testing; your primary POSIX group does not show up in the LDAP query (usually Domain Users) and your first match is the winner (unless you are using DAP policies that allow combining).

-ryan

More information about the cisco-nsp mailing list