Monday, May 27, 2013

EasyVPN LDAP Authentication

The following is a tutorial on how to enable an ASA to use LDAP (Active Directory) group policy for log-in authentication when connecting via Cisco EasyVPN.

LDAP stands for Lightweight Directory Access Protocol, which is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Or in simpler terms, LDAP lets you access AD.

For the sake of this tutorial we will be adding a group to an ASA 5510

Add the AD group to the attribute map

We need to tell the ASA what domain and group to look at for the authentication process.

An attribute map for our purposes, is essentially a list of VPN groups that we want to use.
CN=Foobar VPN is setting Foobar VPN as the AD group. This is the exact name configured on the AD Server.
OU=VPN Groups is setting the OU as "VPN Groups". This is the OU that contains the Foobar VPN group on the AD Server.
DC=foobar, DC=com sets the domain as foobar.com
and lastly FoobarVPN is the local (the ASA's) name for this group.
ldap attribute-map LDAPAttMap
 map-value memberOf "CN=Foobar VPN,OU=VPN Groups,DC=foobar,DC=com" FoobarVPN

Define a group policy

So the ASA knows about the Windows server, but we don't have a local group policy set up for the VPN group. There's a whole whack of attributes that can be defined so lets get crackin'.

We won't be using a WINS server so here we define that as none. But we do have two local DNS servers, 192.168.1.11 and .12. The group policies allow you to define how many users that we're going to allow in at once. For this group we only want three at any one time.The vpn-filter is just an ACL to be applied to this tunnel. vpn-tunnel-protocol allows us to choose which encryption protocol we wish to use for the tunnel, here we've chosen SSL. This VPN is a split-tunnel , which allows users to access a public network (the internet) as well as a LAN at the same time using the same physical connection. Which LANs are accessible can be defined using the split-tunnel-network-list command. The value is simply another ACL. default-domain simply defines the domain this VPN will be accessing. address-pools lets us choose the DHCP pool we'll be using for addressing the connected clients. And lastly, we tell the ASA that the clients will be connecting through WebVPN and that the Cisco AnyConnect installer should remain installed after use.
group-policy FoobarVPN internal
group-policy FoobarVPN attributes
 wins-server none
 dns-server value 192.168.1.11 192.168.1.12
 vpn-simultaneous-logins 3
 vpn-filter value FoobarFilter
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value FoobarVPN_Split
 default-domain value foobar.com
 address-pools value VPNPool
 webvpn
 anyconnect keep-installer installed

Setup a tunnel-group for remote access

Now that we have the ASA aware of the AD server and the group we need to use. We have to setup a tunnel group for our users. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes.

Firstly, we have to set the FoobarVPN group that we defined previously as a remote-access group.
Now we can start to define some general attributes.

address-pool VPNPool defines VPNPool as the DHCP address pool (this pool is not defined in this tutorial). You can set up to 10 external DHCP servers and 6 pools. Because we are using the ASA as the DHCP server, it is not explicitly defined here.

authentication-server-group Foobar_LDAP specifies Foobar_LDAP as the AAA server group. This tutorial assumes this as been pre-defined. I'll include a snippet on how to quickly configure it at the bottom of this page.

default-group-policy FoobarVPN tells the ASA that the FoobarVPN we created in step two is the default policy group for this tunnel-group.

Going into the webvpn-attributes sub-tree we can enable WebVPN to use the FoobarVPN we defined in step two.

tunnel-group FoobarVPN type remote-access
tunnel-group FoobarVPN general_attributes
 address-pool VPNPool
 authentication-server-group Foobar_LDAP
 authentication-server-group (Internal) Foobar_LDAP
 default-group-policy FoobarVPN
tunnel-group FoobarVPN webvpn-attributes
 group-alias FoobarVPN enable

Bonus Round! Setting up the Authentication Server!

Welcome to the bonus round! This snippet will help you in initially configuring your ASA (or if you have the unfortunate pleasure of owning a PIX) to use an LDAP server.

So we're using LDAP so lets tell the ASA that: aaa-server Foobar_LDAP protocol ldap defines our server as Foobar_LDAP and specifies the protocol as LDAP .

Okay we told it a server exists, now we need to tell the ASA where to find it: aaa-server Foobar_LDAP (Internal) host 192.168.1.2 associates the Foobar_LDAP server we defines two seconds ago with the 192.168.1.2 IP address and lets the ASA know it's an internal server.

Then we specify the domain in which the server exists, foobar.com

And finally we give it the password, domain log-in, and tell the ASA that the server is running Windows.
aaa-server Foobar_LDAP protocol ldap
aaa-server Foobar_LDAP (Internal) host 192.168.1.2
 ldap-base-dn dc=foobar,dc=com
 ldap-group-base-dn dc=foobar,dc=com
 ldap-scope subtree
 ldap-naming-attribute saMAccountName
 ldap-login-password *****
 ldap-login-dn vpnasa@foobar.com
 server-type microsoft
 ldap-attribute-map LDAPAttMap

No comments:

Post a Comment