[c-nsp] LUA Script on ASA

FS bastiji at gmail.com
Tue Mar 11 09:57:46 EDT 2014


Folks - I'm looking to see if anyone has ever successfully used the LUA
scripting feature on the ASA for doing authorization.

Trying to setup Certificate authentication for VPN users, and authorizing
against LDAP (AD) but my fields don't match one to one, and hence I was
hoping to use the LUA script feature to massage the cert attribute to match
my LDAP attribute.

Doing so however on the ASA errors out, and I haven't been able to make
even the simplest of LUA scripts give out any useful error message or log
or debug.

Here's the script when run in a LUA interpreter returning the 'right'
answer:

[rancid at lb ~]$ cat testscript.lua
#!/usr/bin/lua

GivenString = 'CN=lastname.firstname.middlename.000000000'

FS1 = GivenString:match"%.(%a+)%."
FS2 = GivenString:match"(%a+)%."
FFS = FS1.."."..FS2

print (FFS)

[rancid at lb ~]$ ./testscript.lua
firstname.lastname
[rancid at lb ~]$

This is how I entered the corresponding in ASA:

assert(function()
GS=cert.subject.cn
FS1 = GS:match"%.(%a+)%."
FS2 = GS:match"(%a+)%."
FFS = FS1.."."..FS2

return FFS

end) ()

When I try to authenticate with this script in place, I get this error
message in my logs:

%ASA-4-113026: Error <[string "assert(function()..."]:3: attempt to index
global `GS' (a string value)> while executing Lua script for group
<Anyconnect>

Anyone ever been able to run a LUA script successfully on ASA for this sort
of usage?

Thanks,
Bastiji


More information about the cisco-nsp mailing list