LDAP stands for Lightweight Directory Access Protocol, which is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Or in simpler terms, LDAP lets you access AD.
For the sake of this tutorial we will be adding a group to an ASA 5510
Add the AD group to the attribute map
We need to tell the ASA what domain and group to look at for the authentication process.An attribute map for our purposes, is essentially a list of VPN groups that we want to use.
CN=Foobar VPN is setting Foobar VPN as the AD group. This is the exact name configured on the AD Server.
OU=VPN Groups is setting the OU as "VPN Groups". This is the OU that contains the Foobar VPN group on the AD Server.
DC=foobar, DC=com sets the domain as foobar.com
and lastly FoobarVPN is the local (the ASA's) name for this group.
ldap attribute-map LDAPAttMap map-value memberOf "CN=Foobar VPN,OU=VPN Groups,DC=foobar,DC=com" FoobarVPN
Define a group policy
So the ASA knows about the Windows server, but we don't have a local group policy set up for the VPN group. There's a whole whack of attributes that can be defined so lets get crackin'.We won't be using a WINS server so here we define that as none. But we do have two local DNS servers, 192.168.1.11 and .12. The group policies allow you to define how many users that we're going to allow in at once. For this group we only want three at any one time.The vpn-filter is just an ACL to be applied to this tunnel. vpn-tunnel-protocol allows us to choose which encryption protocol we wish to use for the tunnel, here we've chosen SSL. This VPN is a split-tunnel , which allows users to access a public network (the internet) as well as a LAN at the same time using the same physical connection. Which LANs are accessible can be defined using the split-tunnel-network-list command. The value is simply another ACL. default-domain simply defines the domain this VPN will be accessing. address-pools lets us choose the DHCP pool we'll be using for addressing the connected clients. And lastly, we tell the ASA that the clients will be connecting through WebVPN and that the Cisco AnyConnect installer should remain installed after use.
group-policy FoobarVPN internal group-policy FoobarVPN attributes wins-server none dns-server value 192.168.1.11 192.168.1.12 vpn-simultaneous-logins 3 vpn-filter value FoobarFilter vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value FoobarVPN_Split default-domain value foobar.com address-pools value VPNPool webvpn anyconnect keep-installer installed
Setup a tunnel-group for remote access
Now that we have the ASA aware of the AD server and the group we need to use. We have to setup a tunnel group for our users. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes.Firstly, we have to set the FoobarVPN group that we defined previously as a remote-access group.
Now we can start to define some general attributes.
address-pool VPNPool defines VPNPool as the DHCP address pool (this pool is not defined in this tutorial). You can set up to 10 external DHCP servers and 6 pools. Because we are using the ASA as the DHCP server, it is not explicitly defined here.
authentication-server-group Foobar_LDAP specifies Foobar_LDAP as the AAA server group. This tutorial assumes this as been pre-defined. I'll include a snippet on how to quickly configure it at the bottom of this page.
default-group-policy FoobarVPN tells the ASA that the FoobarVPN we created in step two is the default policy group for this tunnel-group.
Going into the webvpn-attributes sub-tree we can enable WebVPN to use the FoobarVPN we defined in step two.
tunnel-group FoobarVPN type remote-access tunnel-group FoobarVPN general_attributes address-pool VPNPool authentication-server-group Foobar_LDAP authentication-server-group (Internal) Foobar_LDAP default-group-policy FoobarVPN tunnel-group FoobarVPN webvpn-attributes group-alias FoobarVPN enable
Bonus Round! Setting up the Authentication Server!
Welcome to the bonus round! This snippet will help you in initially configuring your ASA (or if you have the unfortunate pleasure of owning a PIX) to use an LDAP server.So we're using LDAP so lets tell the ASA that: aaa-server Foobar_LDAP protocol ldap defines our server as Foobar_LDAP and specifies the protocol as LDAP .
Okay we told it a server exists, now we need to tell the ASA where to find it: aaa-server Foobar_LDAP (Internal) host 192.168.1.2 associates the Foobar_LDAP server we defines two seconds ago with the 192.168.1.2 IP address and lets the ASA know it's an internal server.
Then we specify the domain in which the server exists, foobar.com
And finally we give it the password, domain log-in, and tell the ASA that the server is running Windows.
aaa-server Foobar_LDAP protocol ldap aaa-server Foobar_LDAP (Internal) host 192.168.1.2 ldap-base-dn dc=foobar,dc=com ldap-group-base-dn dc=foobar,dc=com ldap-scope subtree ldap-naming-attribute saMAccountName ldap-login-password ***** ldap-login-dn vpnasa@foobar.com server-type microsoft ldap-attribute-map LDAPAttMap
No comments:
Post a Comment