Archive for category 2008

Cisco ASA and Windows Server 2008: Welcome Back LDAP

You may or may not have problems doing Windows style authentication to your Server 2008 for your AAA access on your ASA firewall.

I have seen it work and not work, I suspect that the forest/domains were probably at different levels, I have heard that Server 2008 doesn’t support NTLM version 1.

If your doesn’t or you want to use LDAP, read on.  One reason you may want to use LDAP is you can stack attributes using Dynamic Policies,

The first problem I will encounter at a customer site is getting the ASA to talk to the domain controller as part of the LDAP AAA group setup. Usually it’s an OU issue, to find the exact string run the dsquery command on the Domain Controller (DC):

dsquery user -samid ciscoldap
"CN=ciscoldap,OU=Service Accounts,OU=HQ,DC=somedomain,DC=com"

In the case above there was an additional OU of HQ.  Now when clicking on the Test button on AAA group setup it successfully communicates.


Be aware that a failure of credentials for LDAP will give the same error as if there is a connectivity issue or the Windows firewall is blocking the port.


Now the cool thing IMHO is you can browse the various Windows attributes from with in the ASA.  I use this to “stack” attributes, instead of just controlling whether someone can log in if the RemoteDialIn I can also authorize them based on membership in a second group or select a group policy depending on which AD attributes match.


To View the various AD groups that can be used as a selection criteria go to:

Remote Access VPN>Clientless SSL>Dynamic Access Polocies

On the left select Add,  then LDAP for AAA Attribute type.  Now click on “Get AD Groups” and you can change filters, policies, etc all based on AD group membership.

Ideal for keeping vendors limited to work hours and a single network asset.

Share

, , , ,

No Comments