Guest

Cisco ASA Next-Generation Firewall Services

Next-Generation Firewall (CX) Active Directory Integration Configuration Example

  • Viewing Options

  • PDF (399.6 KB)
  • Feedback

Document ID: 117377

Updated: Jan 30, 2014

Contributed by Jay Johnston, Prapanch Ramamoorthy, and Kevin Klous, Cisco TAC Engineers.

   Print

Introduction

This document describes how to determine the appropriate Lightweight Directory Access Protocol (LDAP) User and Group search information when you configure the Next-Generation Firewall (CX or Context Firewall) with Prime Security Manager (PRSM) for Identity features. When you configure identity policies within PRSM, if the Directory User and Group search base information is not entered correctly, the device will not be able to correctly look up User and Group information and some policies might fail to apply correctly. This document guides the user through the determination of the correct User and Group search information for an Active Directory policy and shows how to confirm if the CX can successfully perform User and Group searches.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Next-Generation Firewall with on-box PRSM management, Version 9.2.1.2(52).

Note: This document assumes that authentication and user and group policies will be performed using a Microsoft Active Directory Domain Controller.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

This document describes two types of configurations, which are the Realm Configuration and the Directory Configuration.

The Realm Configuration

The Realm is a container in which authentication servers are placed. For more information on Directory Realms, see the Overview of Directory Realms section of the User Guide for ASA CX and Cisco Prime Security Manager 9.2.

Example

In PRSM Version 9.2, choose Configurations > Directory Realm.

Note: The Primary Domain should be lowercase due to Cisco bug ID CSCum53396 - ASA CX doesn't handle case sensitivity for domain names correctly.

The Directory Configuration

Within the configured Realm, a Directory must be created that represents the LDAP server (the Active Directory server).

The 'User search base' and 'Group search base' must be correctly configured based upon the specific Active Directory structure, or the user-based and group-based policies might fail. Refer to the information in this section in order to determine the appropriate values for these fields in your environment.

Example

Determine the User Search Base

In order to determine the user search base, complete these steps:

  1. Log in to the Active Directory server as a domain administrator.

  2. Open a command prompt (choose Start > Run and enter cmd).

  3. Enter the dsquery command in order to determine the base Display Name (DN) for a known user. Enter some of that information into the Directory configuration screen within Prime Security Manager.

In this example, the dsquery command is entered in order to search for users who have a DN that begins with 'Jay'. The use of the '*' wildcard with the command returns the information for all users with a DN starting with 'Jay':

This output can be used in order to determine the LDAP structure for the User search base within Prime Security Manager.

This example uses 'DC=csc-lab,DC=ciscotac,DC=com' as the appropriate User search base for the directory configuration in PRSM.

Determine the Group Search Base

The procedure to determine the Group search base is similar to the procedure to determine the User search base.

  1. Log in to the Active Directory server as a domain administrator.

  2. Open a command prompt (choose Start > Run and enter cmd).

  3. In order to determine the base DN for a known group, enter the dsquery command. Enter that information on the Directory configuration screen.

In this example, the current group is named 'Employees.' Therefore, you can use the dsquery command in order to determine the DN for that specific group:

This output is used in order to determine the LDAP structure for the Group search base.

In this case, the information 'DC=csc-lab,DC=ciscotac,DC=com' is an appropriate User search base for the directory configuration.

This image shows how the output of the dsquery commands can be mapped to the Directory User and Group search base information:

Determine the Distinguished Name of Other Objects in Active Directory - ADSI Edit

If you need to browse your Active Directory structure in order to look up distinguished names to use for your User or Group search base, you can use a tool called ADSI Edit that is built into Active Directory Domain Controllers. In order to open ADSI Edit, choose Start > Run on your Active Directory Domain Controller and enter adsiedit.msc.

Once you are in ADSI Edit, right-click any object (such as an organizational unit (OU), group, or user) and choose Properties in order to view the distinguished name of that object. You can then easily copy and paste the string to your CX configuration in PRSM in order to avoid any typographical errors. See this screenshot for more specifics on this process:

Verify

Use this section in order to confirm that your configuration works properly.

Verify the Network Connectivity to the Active Directory Server

In order to verify the basic network connectivity between the Next-Generation Firewall and the Active Directory server, click Test connection.

Note: Test connection simply verifies that the Next-Generation Firewall can look up the IP address for the configured directory hostname and establish a TCP connection to that IP address on destination TCP port 389. It does not confirm that the Next-Generation Firewall is able to query the Active Directory server and perform actual user and group lookups.

Verify the User and Group Lookup with the Active Directory

In order to verify that the Identity information is correct, perform a simple test to trigger the Next-Generation Firewall to perform a LDAP search with the configured User and Group Search Bases.

Before you test, ensure that all configuration changes have been deployed to the device.

  1. Choose Configurations > Policies/Settings.

  2. Create a new policy (this policy will not be saved). From the Source drop-down list, choose Create new object.

  3. In the Name field, enter an object name. From the Object type drop-down list, choose CX Identity object.

  4. In the Groups field, enter a few characters contained in a known Active Directory group. If the Next-Generation Firewall provides a drop-down list of Active Directory groups that match those configured on the server, this means that the Next-Generation Firewall was able to query the LDAP server and has found the group in the LDAP structure, so the configuration is functional.

    This image shows that if you enter the letters Emp in the Groups field, the value 'CiscoTAC\Employees' is a group from the Active Directory structure that matches. This means the connectivity and search information is functional.



    The same test can be performed for Users. Enter a few characters of the Display Name of a known Active Directory User, and wait to see if the Next-Generation Firewall shows the completed Display Name. If it does, the system is most likely functional.



  5. After the testing is complete, cancel out of the object and policy configuration screens.

Troubleshoot

DNS Configuration Problems Cause Active Directory Integration to Fail

If Domain Name System (DNS) resolution for the configured Name for the domain fails, Active Directory integration fails. A message 'Connection failed with error: Join returned DNS_ERROR_BAD_PACKET' displays when you click Test Connection:

If the Next-Generation Firewall cannot resolve the IP address for the domain configured, check the DNS settings on the Next-Generation Firewall with the show dns and nslookup commands in order to confirm that the hostname is resolvable by the device and that the DNS settings are correct.

Network Connectivity Problems Between the Next-Generation Firewall and the Active Directory Server

If the Next-Generation Firewall is unable to connect to the Active Directory server (due to a network problem or a firewall setting on the machine), the integration fails. This could be caused if the connectivity on TCP port 389 is blocked by a device (such as a firewall or router) between the Next-Generation Firewall and the Active Directory server.

A message 'Connection failed with error: Join returned NERR_DCNotFound' displays when you click Test Connection:

If you see this message:

  • Confirm that the Next-Generation Firewall has basic IP connectivity to the server with the ping, nslookup and traceroute commands from the CLI.
  • Verify that the firewall configured on the Active Directory server is configured in order to block the connectivity from the Next-Generation Firewall on TCP port 389.
  • Take packet captures on the Active Directory server and the network in order to determine what device might be blocking the access.

Related Information

Updated: Jan 30, 2014
Document ID: 117377