Home / Articles / General / LDAP queries on cisco ASA to query active directory security groups

LDAP queries on cisco ASA to query active directory security groups

LDAP queries on cisco ASA to query active directory security groups

When you use multiple tunnel groups (PCFs) there are times when you want to query active directory to make sure users are associated with a certain group before you allow them VPN access.  For instance, you may want one user to have access to a certain PCF while you don’t want them to have access to another PCF.

We have a customer that utilizes RSA SecurID for dual factor authentication and would like the ability to query active directory to make sure users are in a certain security group before they are allowed onto VPN.  This means that even though they have a RSA token they may not be allowed to VPN in.  With the cisco VPN client you cant have two authentication types, you have to move to cisco anyconnect for this.  On the other hand you can break to have one authentication and authorization server to achieve the same result.  Below I am going to provide an example of how to have a user using RSA SecurID and be able to query AD before allowing the user VPN access.

Below is how you do this on the cisco asa

First you will want to tell the cisco asa which group users should be in in order to vpn into your tunnel group:

*********Begin Cisco Config*********************

ldap attribute-map contoso-vpn

map-name  memberOf IETF-Radius-Class

map-value memberOf  “CN=contoso-VPN,OU=contoso Groups,OU=cisco,DC=contoso,DC=local” cisco_vpn

********End Cisco Config************************

Now you must specify an AAA server (you can define multiple ones)

*********Begin Cisco Config**********************

aaa-server  contoso protocol ldap

aaa-server  contoso (inside) host 192.168.1.1

server-port 636

ldap-base-dn OU=services account,OU=users,DC=contoso,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password 123456password

ldap-login-dn CN=ldap user,OU=services account,OU=cisco,DC=contoso,DC=local

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map contoso-vpn

*************End Cisco Config**************

now you want to define a group policy that will not allow someone to VPN if they are not in the contoso-VPN AD security group:

********Begin Cisco Config*************************

group-policy no_access internal

group-policy no_access attributes

vpn-simultaneous-logins 0

***************End Cisco Config*********************

now you will need to modify you existing tunnel-group to make sure the default group policy is no_access as well as specifying contoso as the authorization server for ldap queries.

************Begin Cisco Config***********************

tunnel-group cisco_vpn type remote-access

tunnel-group cisco_vpn general-attributes

authentication-server-group SecurID

authorization-server-group contoso

default-group-policy no_access

************End Cisco Config******************

Share


Comment on LDAP queries on cisco ASA to query active directory security groups

Leave a Reply






Contact Us