Easy easy..... no you aren't missing anything... to enable LDAPoSSL, you just need an additional command under the aaa-server group:
aaa-server LDAP host 192.168.1.1 ldap-over-ssl enable HTH, Aaron Rohyans IT Coordinator, IDC-USA [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 317.244.8307 (V) 317.244.4600 (F) ________________________________ From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 10:22 AM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD It's doing LDAP simple binds for authentication? Not even LDAP over SSL? This means that you are passing your passwords across the wire in clear-text. I hope you don't let any administrative users sign in that way. RADIUS with "store passwords with reversible encryption" is a better deal/more secure setup than that! Or am I misinterpreting what I am reading here? (Which wouldn't be any surprise, my Cisco skills are getting rusty.) Regards, Michael B. Smith MCITP:SA,EMA/MCSE/Exchange MVP http://TheEssentialExchange.com From: Aaron T. Rohyans [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 10:11 AM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD For VPN (and you can adapt this for Telnet/SSH), you can do the following: ldap attribute-map MS_ALLOWDIALIN map-name msNPAllowDialin cVPN3000-IETF-Radius-Class map-value msNPAllowDialin FALSE NO_VPN_CLIENTS_GP map-value msNPAllowDialin TRUE VPN_CLIENTS_GP aaa-server LDAP protocol ldap aaa-server LDAP host 192.168.1.1 server-port 389 ldap-base-dn CN=Users,DC=test,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn CN=testuser,CN=Users,DC=test,DC=local server-type microsoft ldap-attribute-map MS_ALLOWDIALIN tunnel-group VPN_GROUP type ipsec-ra tunnel-group VPN_GROUP general-attributes address-pool TEST_POOL authentication-server-group LDAP default-group-policy VPN_CLIENTS_GP tunnel-group VPN_GROUP ipsec-attributes pre-shared-key * group-policy NO_VPN_CLIENTS_GP internal group-policy NO_VPN_CLIENTS_GP attributes banner value **You do not have access to the VPN. Please see your system administrator!** vpn-simultaneous-logins 0 group-policy VPN_CLIENTS_GP internal group-policy VPN_CLIENTS_GP attributes vpn-tunnel-protocol ipsec vpn-simultaneous-logins 5 Notice the "ldap-attribute-map" under the aaa-server config. This references the LDAP attribute map above it. The LDAP attribute map is what maps the Microsoft LDAP attribute (in this case msNPAllowDialin) to an IETF equivalent that Cisco understands. So, msNPAllowDialin maps to cVPN3000-IETF-Radius-Class. **THIS IS ONLY NEEDED IF YOU WANT TO AUTHORIZE USERS TO USE THE VPN! IF ALL USERS ARE GRANTED PERMISSION, YOU CAN LEAVE OUT THE LDAP ATTRIBUTE-MAP** FYI - msNPAllowDialin is the radio button to allow or deny a user dial-in privileges under their AD properties window. Notice that the LDAP map also references what to do when a user is Allowed (True - use the Group Policy VPN_CLIENTS_GP) or Denied (False - NO_VPN_CLIENTS_GP). The NO_VPN_CLIENTS_GP specifies that the client can have simultaneous logins of "0" - meaning they can't login. To modify this to use for Telnet/SSH/HTTP authentication, just create a new aaa-server (copy the config from above), but change the base-dn to point to a sub-level group container that *only* contains administrators. Thus, Domain Users who are in this container will never be authenticated because the ASA will not be able to locate their username (see below): aaa-server LDAP_ADMINISTRATORS protocol ldap aaa-server LDAP host 192.168.1.1 server-port 389 ldap-base-dn CN=Administrators,DC=test,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn CN=testuser,CN=Users,DC=test,DC=local server-type Microsoft aaa authentication http console LDAP aaa authentication telnet console LDAP aaa authentication ssh console LDAP HTH! Aaron Rohyans IT Coordinator, IDC-USA [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 317.244.8307 (V) 317.244.4600 (F) ________________________________ From: Todd Lemmiksoo [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 9:33 AM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD Our customer wants to do SSH and VPN. Michael Adamson suggested to upgrade to 8.x lOS. Yes I would like to see the sample configs. Thanks! Todd Lemmiksoo Network Administrator All-Mode Communications, Inc. 1725 Dryden Road Freeville, New York 13068 (607) 347-4164 x440 1-877-ALLMODE (toll free) http://www.all-mode.com <http://www.all-mode.com/> ________________________________ From: Aaron T. Rohyans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD What are you wanting to authenticate? Telnet/SSH connections, or VPN tunnels? My suggestion would be to use LDAP or Radius. ASA v7.x now supports authentication directly via LDAP. I can provide sample configs if need be. HTH, Aaron Rohyans IT Coordinator, IDC-USA [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 317.244.8307 (V) 317.244.4600 (F) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:37 PM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD Todd, I'll email you off-line tomorrow with how we have our ASA 5505 setup for the auth to AD. Thomas From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 4:20 PM To: NT System Admin Issues Subject: RE: ASA question...how to auth to AD You would generally use IAS as an intermediary - the Windows version of RADIUS. (This was true on the PIX, I've never done anything with ASAs, but I doubt they've learned to speak Kerberos or NTLMv2.) Regards, Michael B. Smith MCITP:SA,EMA/MCSE/Exchange MVP http://TheEssentialExchange.com From: Todd Lemmiksoo [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:17 PM To: NT System Admin Issues Subject: ASA question...how to auth to AD Not sure if this has been asked before.....but How does one auth login from ASA to Windows AD? Where in the ASA setup can I look? Todd Lemmiksoo Network Administrator All-Mode Communications, Inc. 1725 Dryden Road Freeville, New York 13068 (607) 347-4164 x440 1-877-ALLMODE (toll free) http://www.all-mode.com <http://www.all-mode.com> This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
