IP : 轻量级目录访问协议 (LDAP)

ASA Anyconnect VPN和与自定义模式和证书配置示例的OpenLDAP授权

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述如何配置OpenLDAP以自定义模式支持连接到思科可适应安全工具的Cisco AnyConnect安全移动客户端的每个用户的属性(ASA)。因为所有用户属性从OpenLDAP服务器,获取ASA配置相当基本。并且在本文描述在LDAP认证和授权的差异,当使用与证书一起。

贡献用米哈拉Garcarz, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

  • 关于Linux配置的基础知识
  • 关于ASA CLI配置的基础知识

使用的组件

本文档中的信息基于以下软件版本:

  • Cisco ASA版本8.4和以上
  • OpenLDAP版本2.4.30

配置

基本OpenLDAP配置

步骤1.配置服务器。

此示例使用test-cisco.com ldap树。

ldap.conf文件用于设置能由本地ldap客户端使用的系统层默认。

注意:虽然您没有要求设置系统层默认,他们可帮助测试和排除故障servier,当您运行一个本地ldap客户端时。

/etc/openldap/ldap.conf :

BASE   dc=test-cisco,dc=com

slapd.conf文件使用OpenLDAP服务器配置。默认模式文件包括用途广泛的LDAP定义。例如,在core.schema文件定义的对象类名称personis。此配置用途普通的模式和定义了其CISCO专用的属性的自己的模式。

/etc/openldap/slapd.conf :

include         /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema

# Defines backend database type and redirects all # queries with specified suffix to that database
database hdb
suffix "dc=test-cisco,dc=com"
checkpoint 32 30

# Rootdn will be used to perform all administrative tasks.
rootdn "cn=Manager,dc=test-cisco,dc=com"

# Cleartext passwords, especially for the rootdn, should be avoid.
rootpw secret

directory /var/lib/openldap-data
index objectClass eq

步骤2.验证IDAP配置。

为了验证基本OpenLDAP工作,请运行此配置:

pluton openldap # /etc/init.d/slapd start
* Starting ldap-server [ ok ]
pluton openldap # ps ax | grep openldap
27562 ? Ssl 0:00 /usr/lib64/openldap/slapd -u ldap -g ldap -f
/etc/openldap/slapd.conf -h ldaps:// ldap:// ldapi://var/run/openldap/slapd.sock

pluton openldap # netstat -atcpn | grep slapd
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 27562/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 27562/slapd

pluton # ldapsearch -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=test-cisco,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

步骤3.添加记录到数据库。

一旦hve测试的和配置的适当everthing,添加记录到数据库。 为了添加用户和组的基本容器,请运行此配置:

pluton # cat root.ldiff 
dn: dc=test-cisco,dc=com
objectclass: dcObject
objectclass: organization
o: test-cisco.com
dc: test-cisco

dn: ou=People,dc=test-cisco,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=test-cisco,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

pluton # ldapadd -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com"
-w secret -x -f root.ldiff
adding new entry "dc=test-cisco,dc=com"
adding new entry "ou=People,dc=test-cisco,dc=com"
adding new entry "ou=Groups,dc=test-cisco,dc=com"

pluton # ldapsearch -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=test-cisco,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test-cisco.com
dn: dc=test-cisco,dc=com
objectClass: dcObject
objectClass: organization
o: test-cisco.com
dc: test-cisco

# People, test-cisco.com
dn: ou=People,dc=test-cisco,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

# Groups, test-cisco.com
dn: ou=Groups,dc=test-cisco,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

自定义Openldap模式

即然基本配置工作,您能添加自定义模式。在本例中配置示例,对象类名为CiscoPerson新类型创建,并且这些属性创建并且用于此对象类:

  • CiscoBanner
  • CiscoACLin
  • CiscoDomain
  • CiscoDNS
  • CiscoIPAddress
  • CiscoIPNetmask
  • CiscoSplitACL
  • CiscoSplitTunnelPolicy
  • CiscoGroupPolicy

步骤1.创建在cisco.schema的新的模式。

pluton openldap # pwd
/etc/openldap
pluton openldap # cat schema/cisco.schema

attributetype ( 1.3.6.1.4.1.9.500.1.1
  NAME 'CiscoBanner'
  DESC 'Banner Name for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.2
  NAME 'CiscoACLin'
  DESC 'ACL in for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.3
  NAME 'CiscoDomain'
  DESC 'Domain for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.4
  NAME 'CiscoDNS'
  DESC 'DNS server for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.5
  NAME 'CiscoIPAddress'
  DESC 'Address for VPN user'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.6
  NAME 'CiscoIPNetmask'
  DESC 'Address for VPN user'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.7
  NAME 'CiscoSplitACL'
  DESC 'Split tunnel list for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.8
  NAME 'CiscoSplitTunnelPolicy'
  DESC 'Split tunnel policy for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9.500.1.9
  NAME 'CiscoGroupPolicy'
  DESC 'Group policy for VPN users'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
  SINGLE-VALUE )
 
objectclass ( 1.3.6.1.4.1.9.500.2.1 NAME 'CiscoPerson'
        DESC 'My cisco person'
        AUXILIARY
        MUST ( sn $ cn )
        MAY ( userPassword $ telephoneNumber $ seeAlso
$ description $ CiscoBanner $ CiscoACLin $ CiscoDomain
$ CiscoDNS $ CiscoIPAddress $ CiscoIPNetmask $ CiscoSplitACL
$ CiscoSplitTunnelPolicy $ CiscoGroupPolicy ) )


重要说明

  • 请使用私营企业OIDs您的公司。所有OIDs wor,但是最佳实践是使用IANA分配的OIDs。在本例中配置的那个从(由思科保留的1.3.6.1.4.1.9开始:http://www.iana.org/assignments/enterprise-numbers)
  • OID (500.1.1-500.1.9)的以下部分直接地在思科OID ("1.3.6.1.4.1.9")的主要树用于不干涉。
  • 此数据库在模式/core.ldif使用定义的对象类。对象是顶部类型和记录只能包括是的一个这样属性(CiscoPersonobject类为什么是辅助类型)。
  • 名为CiscoPerson的对象类必须包括SN或CN,并且能包括定义的其中任一个自定义思科属性前。注意它在其他模式能也包括定义的所有其他属性(例如userPasswordtelephoneNumber)。
  • 切记每个对象应该有一个不同的OID编号。
  • 自定义属性是案件不区分和与编码的UTF-8的体串的类型和最大数量128字符(定义由语法)。

步骤2.包括模式在sldap.conf。

pluton openldap # cat slapd.conf | grep include
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/cisco.schema

步骤3.重新启动服务。

puton openldap # /etc/init.d/slapd restart
 * Stopping ldap-server                           [ ok ]
 * Starting ldap-server                           [ ok ]

步骤4.添加有所有自定义属性的一个新用户。

在本例中,用户属于多个objectClass对象,并且继承从所有的属性。没有对现有的数据库数据库纪录的更改使用此进程它是容易添加另外的模式或属性。

pluton # cat users.ldiff 
# User account
dn: uid=cisco,ou=people,dc=test-cisco,dc=com
cn: John Smith
givenName: John
sn: cisco
uid: cisco
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/cisco
mail: jsmith@dev.local
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: CiscoPerson
loginShell: /bin/bash
userPassword: {CRYPT}*
CiscoBanner: This is banner 1
CiscoIPAddress: 10.1.1.1
CiscoIPNetmask: 255.255.255.128
CiscoDomain: domain1.com
CiscoDNS: 10.6.6.6
CiscoACLin: ip:inacl#1=permit ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.0
CiscoSplitACL: ACL1
CiscoSplitTunnelPolicy: 1
CiscoGroupPolicy: POLICY1

pluton # ldapadd -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com"
-w secret -x -f users.ldiff
adding new entry "uid=cisco,ou=people,dc=test-cisco,dc=com"

步骤5.设置用户的密码。

pluton moje # ldappasswd -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com" 
-w secret -x uid=cisco,ou=people,dc=test-cisco,dc=com -s pass1

步骤6.验证配置。

pluton # ldapsearch -h 192.168.10.1 -D "CN=Manager,DC=test-cisco,DC=com"
-w secret -b uid=cisco,ou=people,dc=test-cisco,dc=com
# extended LDIF
#
# LDAPv3
# base <uid=cisco,ou=people,dc=test-cisco,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# cisco, People, test-cisco.com
dn: uid=cisco,ou=People,dc=test-cisco,dc=com
cn: John Smith
givenName: John
sn: cisco
uid: cisco
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/cisco
mail: jsmith@dev.local
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: CiscoPerson
loginShell: /bin/bash
userPassword:: e0NSWVBUfSo=
CiscoBanner: This is banner 1
CiscoIPAddress: 10.1.1.1
CiscoIPNetmask: 255.255.255.128
CiscoDomain: domain1.com
CiscoDNS: 10.6.6.6
CiscoACLin: ip:inacl#1=permit ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.
 0
CiscoSplitACL: ACL1
CiscoSplitTunnelPolicy: 1
CiscoGroupPolicy: POLICY1
userPassword:: e1NTSEF9NXM4MUZtaS85YUcvV2ZQU3kzbEdtdzFPUkk0bHl3V0M=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ASA 配置

步骤1.配置接口和证书。

interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.11.250 255.255.255.0  
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 192.168.1.250 255.255.255.0

crypto ca trustpoint CA
 keypair CA   
 crl configure
crypto ca certificate chain CA
 certificate ca 00cf946de20d0ce6d9
    30820223 3082018c 020900cf 946de20d 0ce6d930 0d06092a 864886f7 0d010105
    05003056 310b3009 06035504 06130250 4c310c30 0a060355 04080c03 4d617a31
    0f300d06 03550407 0c065761 72736177 310c300a 06035504 0a0c0354 4143310c
    300a0603 55040b0c 03524143 310c300a 06035504 030c0354 4143301e 170d3132
    31313136 30383131 32365a17 0d313331 31313630 38313132 365a3056 310b3009
    06035504 06130250 4c310c30 0a060355 04080c03 4d617a31 0f300d06 03550407
    0c065761 72736177 310c300a 06035504 0a0c0354 4143310c 300a0603 55040b0c
    03524143 310c300a 06035504 030c0354 41433081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100d0 68af1ef6 9b256071 d39c8d25 4fb9f391
    5a96e8e0 1ac424d5 fc9cf460 f09e181e f1487525 d982f3ae 29384ca8 13d5290d
    a360e796 0224dce5 ffc0767e 6f54b991 967b54a4 4b3aa59e c2a69310 550029fb
    cb1c3f45 3fb15d15 0d507b09 52b02a17 6189d591 87d42617 1d93b683 4d685005
    34788fd0 2a899ca4 926e7318 1f914102 03010001 300d0609 2a864886 f70d0101
    05050003 81810046 8c58cddb dfd6932b 9260af40 ebc63465 1f18a374 f5b7865c
    a21b22f3 a07ebf57 d64312b7 57543c91 edc4088d 3c7b3c75 e3f29b8d b7e04e01
    4dc2cb89 6935e07c 3518ad97 96e50aae 52e89265 92bb1aad a85656dc 931e2006
    af4042a0 09826d29 88ca972e 5442e0c3 8c957978 4a15e5d9 cac5a12c b0604df4
    97438706 c973a5
  quit
 certificate 00fe9c3d61e131cd9e
    30820225 3082018e 020900fe 9c3d61e1 31cd9e30 0d06092a 864886f7 0d010105
    05003056 310b3009 06035504 06130250 4c310c30 0a060355 04080c03 4d617a31
    0f300d06 03550407 0c065761 72736177 310c300a 06035504 0a0c0354 4143310c
    300a0603 55040b0c 03524143 310c300a 06035504 030c0354 4143301e 170d3132
    31313136 31303336 31325a17 0d313331 31313631 30333631 325a3058 310b3009
    06035504 06130250 4c310c30 0a060355 04080c03 4d617a31 11300f06 03550407
    0c085761 72737a61 7761310c 300a0603 55040a0c 03414353 310c300a 06035504
    0b0c0341 4353310c 300a0603 5504030c 03414353 30819f30 0d06092a 864886f7
    0d010101 05000381 8d003081 89028181 00d15ee2 0f14597a 0703204b 22a2c5cc
    34c0967e 74bb087c b16bc462 d1e4f99d 3d40bd19 5b80845e 08f2cccb e2ca0d01
    aa6fe4f4 df287598 45956110 d3c66465 668ae4d2 8a9583e8 7a652685 19b25dfa
    fce7b84e e1780dd0 1cd3d71e 0926db1a 74354b11 c5b976e0 07e7dd01 0b4115f0
    662874c3 2ed5f87e 170b3baa f266f650 2f020301 0001300d 06092a86 4886f70d
    01010505 00038181 00987d8e acfa9cac ab9dbb52 5bb61992 975e4bbe e9c28426
    1dc3dd1e 87abd839 fa3a937d b1aebcc4 fdc549a2 010b83f3 aa0e12b3 f03a4f49
    d8e6fdea 61776ae5 17daf7e4 6baf810d 37c24784 bd71429b dc0494c0 84a020ff
    1be0c903 a055f634 1e29b6ea 7d7f3280 f161a86c 50d40b6c c24bc8b0 493c0918
    8a185e05 1b52d8b0 0e
  quit

步骤2.生成自签名证书。

crypto ca trustpoint CA
enrollment self
crypto ca enroll CA

步骤3.在外部接口的Enable (event) WebVPN。

ssl trust-point CA
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

步骤4.拆分ACL配置。

ACL名称由OpenLDAP返回:

access-list ACL1 standard permit 10.7.7.0 255.255.255.0 

步骤5.创建使用默认组政策的组名(DfltAccessPolicy)。

有特定LDAP属性的(CiscoGroupPolicy)用户被映射对另一项策略:POLICY1

group-policy DfltAccessPolicy internal
group-policy DfltAccessPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

group-policy POLICY1 internal
group-policy POLICY1 attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

tunnel-group RA type remote-access
tunnel-group RA general-attributes
tunnel-group RA webvpn-attributes
 group-alias RA enable
 without-csd

ASA AAA服务器配置用途映射的ldap属性映射从OpenLDAP返回的属性对可以由Anyconnect用户的ASA解释的属性。

ldap attribute-map LDAP-MAP
  map-name  CiscoACLin Cisco-AV-Pair
  map-name  CiscoBanner Banner1
  map-name  CiscoDNS Primary-DNS
  map-name  CiscoDomain IPSec-Default-Domain
  map-name  CiscoGroupPolicy IETF-Radius-Class
  map-name  CiscoIPAddress IETF-Radius-Framed-IP-Address
  map-name  CiscoIPNetmask IETF-Radius-Framed-IP-Netmask
  map-name  CiscoSplitACL IPSec-Split-Tunnel-List
  map-name  CiscoSplitTunnelPolicy IPSec-Split-Tunneling-Policy

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.11.10
 ldap-base-dn DC=test-cisco,DC=com
 ldap-scope subtree
 ldap-naming-attribute uid
 ldap-login-password secret
 ldap-login-dn CN=Manager,DC=test-cisco,DC=com
 server-type openldap
 ldap-attribute-map LDAP-MA

步骤6.启用验证的LDAP服务器指定的隧道群的。

tunnel-group RA general-attributes
 authentication-server-group LDAP

验证

测试VPN访问

Anyconnect配置连接到192.168.1.250。洛金是用户名cisco和密码pass1

116096-configure-anyconnect-openldap-01.png

在验证以后使用正确标语。

116096-configure-anyconnect-openldap-02.png

正确已分解ACL发送(在ASA定义的ACL1)。

116096-configure-anyconnect-openldap-03.png

Anyconnect接口配置与IP:10.1.1.1和网络屏蔽255.255.255.128。域是domain1.com,并且DNS服务器是10.6.6.6。

116096-configure-anyconnect-openldap-04.png

在ASA,用户cisco接收IP:10.1.1.1和分配分组策略POLICY1

ASA# show vpn-sessiondb detail anyconnect 

Session Type: AnyConnect Detailed

Username     : cisco                  Index        : 29
Assigned IP  : 10.1.1.1               Public IP    : 192.168.1.88
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : RC4                    Hashing      : none SHA1
Bytes Tx     : 10212                  Bytes Rx     : 856
Pkts Tx      : 8                      Pkts Rx      : 2
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : POLICY1                Tunnel Group : RA
Login Time   : 10:18:25 UTC Thu Apr 4 2013
Duration     : 0h:00m:17s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 29.1
  Public IP    : 192.168.1.88
  Encryption   : none                   TCP Src Port : 49262                  
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client Type  : AnyConnect             
  Client Ver   : 3.1.01065              
  Bytes Tx     : 5106                   Bytes Rx     : 788                    
  Pkts Tx      : 4                      Pkts Rx      : 1                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
 
SSL-Tunnel:
  Tunnel ID    : 29.2
  Assigned IP  : 10.1.1.1               Public IP    : 192.168.1.88
  Encryption   : RC4                    Hashing      : SHA1                   
  Encapsulation: TLSv1.0                TCP Src Port : 49265                  
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 3.1.01065
  Bytes Tx     : 5106                   Bytes Rx     : 68                     
  Pkts Tx      : 4                      Pkts Rx      : 1                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : AAA-user-cisco-E0CF3C05
 
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 17 Seconds
  Hold Left (T): 0 Seconds              Posture Token:

并且,动态访问列表为该用户安装:

ASA# show access-list AAA-user-cisco-E0CF3C05
access-list AAA-user-cisco-E0CF3C05; 1 elements; name hash: 0xf9b6b75c (dynamic)
access-list AAA-user-cisco-E0CF3C05 line 1 extended permit
ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.0
(hitcnt=0) 0xf8010475

调试

在您关闭调试,您能跟踪WebVPN会话的每个步骤后。

此示例与属性检索一起显示LDAP认证:

ASA# show debug 
debug ldap  enabled at level 255
debug webvpn anyconnect enabled at level 254
ASA#
[63] Session Start
[63] New request Session, context 0xbbe10120, reqType = Authentication
[63] Fiber started
[63] Creating LDAP context with uri=ldap://192.168.11.10:389
[63] Connect to LDAP server: ldap://192.168.11.10:389, status = Successful
[63] supportedLDAPVersion: value = 3
[63] Binding as Manager
[63] Performing Simple authentication for Manager to 192.168.11.10
[63] LDAP Search:
        Base DN = [DC=test-cisco,DC=com]
        Filter  = [uid=cisco]
        Scope   = [SUBTREE]
[63] User DN = [uid=cisco,ou=People,dc=test-cisco,dc=com]
[63] Server type for 192.168.11.10 unknown - no password policy
[63] Binding as cisco
[63] Performing Simple authentication for cisco to 192.168.11.10
[63] Processing LDAP response for user cisco
[63] Authentication successful for cisco to 192.168.11.10
[63] Retrieved User Attributes:
[63]    cn: value = John Smith
[63]    givenName: value = John
[63]    sn: value = cisco
[63]    uid: value = cisco
[63]    uidNumber: value = 10000
[63]    gidNumber: value = 10000
[63]    homeDirectory: value = /home/cisco
[63]    mail: value = jsmith@dev.local
[63]    objectClass: value = top
[63]    objectClass: value = posixAccount
[63]    objectClass: value = shadowAccount
[63]    objectClass: value = inetOrgPerson
[63]    objectClass: value = organizationalPerson
[63]    objectClass: value = person
[63]    objectClass: value = CiscoPerson
[63]    loginShell: value = /bin/bash

重要!自定义LDAP属性被映射对ASA属性如对ldap属性映射定义:

[63]    CiscoBanner: value = This is banner 1
[63]            mapped to Banner1: value = This is banner 1
[63]    CiscoIPAddress: value = 10.1.1.1
[63]            mapped to IETF-Radius-Framed-IP-Address: value = 10.1.1.1
[63]    CiscoIPNetmask: value = 255.255.255.128
[63]            mapped to IETF-Radius-Framed-IP-Netmask: value = 255.255.255.128
[63]    CiscoDomain: value = domain1.com
[63]            mapped to IPSec-Default-Domain: value = domain1.com
[63]    CiscoDNS: value = 10.6.6.6
[63]            mapped to Primary-DNS: value = 10.6.6.6
[63]    CiscoACLin: value = ip:inacl#1=permit
ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.0

[63]            mapped to Cisco-AV-Pair: value = ip:inacl#1=permit
ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.0

[63]    CiscoSplitACL: value = ACL1
[63]            mapped to IPSec-Split-Tunnel-List: value = ACL1
[63]    CiscoSplitTunnelPolicy: value = 1
[63]            mapped to IPSec-Split-Tunneling-Policy: value = 1
[63]    CiscoGroupPolicy: value = POLICY1
[63]            mapped to IETF-Radius-Class: value = POLICY1
[63]            mapped to LDAP-Class: value = POLICY1
[63]    userPassword: value = {SSHA}5s81Fmi/9aG/WfPSy3lGmw1ORI4lywWC
[63] ATTR_CISCO_AV_PAIR attribute contains 68 bytes
[63] Fiber exit Tx=315 bytes Rx=907 bytes, status=1
[63] Session End

LDAP会话完成。现在, ASA处理并且适用那些属性。

动态ACL创建(基于ACE条目cisco-av-pair) :

webvpn_svc_parse_acl: processing ACL: name: 'AAA-user-cisco-E0CF3C05',
list: YES, id -1
webvpn_svc_parse_acl: before add: acl_id: -1, acl_name: AAA-user-cisco-E0CF3C05
webvpn_svc_parse_acl: after add: acl_id: 5, acl_name: AAA-user-cisco-E0CF3C05,
refcnt: 1

WebVPN会话收益: 

webvpn_rx_data_tunnel_connect
CSTP state = HEADER_PROCESSING
http_parse_cstp_method()
...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
webvpn_cstp_parse_request_field()
...input: 'Host: 192.168.1.250'
Processing CSTP header line: 'Host: 192.168.1.250'
webvpn_cstp_parse_request_field()
...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.01065'
Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent
for Windows 3.1.01065'
Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.1.01065'
webvpn_cstp_parse_request_field()
...input: 'Cookie: webvpn=1476503744@122880@
1365070898@908F356D1C1F4CDF1138088854AF0E480FDCB1BD'
Processing CSTP header line: 'Cookie: webvpn=1476503744@122880@
1365070898@908F356D1C1F4CDF1138088854AF0E480FDCB1BD'
Found WebVPN cookie: 'webvpn=1476503744@122880@
1365070898@908F356D1C1F4CDF1138088854AF0E480FDCB1BD'
WebVPN Cookie: 'webvpn=1476503744@122880@1365070898@
908F356D1C1F4CDF1138088854AF0E480FDCB1BD'
IPADDR: '1476503744', INDEX: '122880', LOGIN: '1365070898'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Version: 1'
Processing CSTP header line: 'X-CSTP-Version: 1'
Setting version to '1'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Hostname: admin-Komputer'
Processing CSTP header line: 'X-CSTP-Hostname: admin-Komputer'
Setting hostname to: 'admin-Komputer'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1367'
Processing CSTP header line: 'X-CSTP-MTU: 1367'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Address-Type: IPv6,IPv4'
Processing CSTP header line: 'X-CSTP-Address-Type: IPv6,IPv4'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Local-Address-IP4: 192.168.1.88'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1468'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Remote-Address-IP4: 192.168.1.250'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Full-IPv6-Capability: true'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Master-Secret: F5ADDD0151261404504FC3B165C3B68A90E51
A1C8EB7EA9B2FE70F1EB8E10929FFD79650B07E218EC8774678CDE1FB5E'
Processing CSTP header line: 'X-DTLS-Master-Secret: F5ADDD015126140450
4FC3B165C3B68A90E51A1C8EB7EA9B2FE70F1EB8E10929FFD79650B07E2
18EC8774678CDE1FB5E'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
Processing CSTP header line: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:
DES-CBC3-SHA:DES-CBC-SHA'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Accept-Encoding: lzs'
Processing CSTL header line: 'X-DTLS-Accept-Encoding: lzs'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Header-Pad-Length: 0'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Accept-Encoding: lzs,deflate'
Processing CSTP header line: 'X-CSTP-Accept-Encoding: lzs,deflate'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Processing CSTP header line: 'X-CSTP-Protocol:
Copyright (c) 2004 Cisco Systems, Inc.'

其次,地址分配发生。那里公告是在ASA定义的没有IP池。如果LDAP不返回是被映射的IETF RADIUS成帧IP地址和使用IP地址分配)的CiscoIPAddress属性(配置在此阶段将发生故障。

Validating address: 10.1.1.1
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 10.1.1.1/255.255.255.128
webvpn_cstp_accept_ipv6_address: No IPv6 Address
CSTP state = HAVE_ADDRESS

WebVPN会话完成:

SVC: NP setup
np_svc_create_session(0x1E000, 0xb5eafa80, TRUE)
webvpn_svc_np_setup
SVC ACL Name: AAA-user-cisco-E0CF3C05
SVC ACL ID: 5
SVC ACL ID: 5
vpn_put_uauth success!
SVC IPv6 ACL Name: NULL
SVC IPv6 ACL ID: -1
SVC: adding to sessmgmt
SVC: Sending response
Sending X-CSTP-FW-RULE msgs: Start
Sending X-CSTP-FW-RULE msgs: Done
Sending X-CSTP-Quarantine: false
Sending X-CSTP-Disable-Always-On-VPN: false
Unable to initiate NAC, NAC might not be enabled or invalid policy
CSTP state = CONNECTED

ASA分开的认证和授权

有时分离认证和授权进程最好的。例如,请使用密码验证本地定义的用户;然后,在成功的本地认证以后,请从LDAP服务器获取所有用户属性:

username cisco password cisco
tunnel-group RA general-attributes
authentication-server-group LOCAL
 authorization-server-group LDAP

差异在LDAP会话上。在前一个示例中, ASA :

  • 对OpenLDAP的已绑定的与管理器凭证,
  • 用户的cisco被执行的搜索,和
  • 已绑定的(简单验证)对与思科凭证的OpenLDAP。

目前,因为用户通过本地数据库,已经验证与LDAP授权,第三步不再是必要的。

更多常见情况介入RSA令牌使用情况认证过程和LDAP/AD属性的授权的。

从LDAP和本地组的ASA属性

了解在LDAP属性和RADIUS属性之间的区别是重要的。

当您使用LDAP时, ASA不允许映射对任何RADIUS属性。例如,当您使用RADIUS时,是可能的返回cisco-av-pair属性217 (地址池)。该属性定义了是被使用的分配IP地址IP地址的一个本地配置池。

使用LDAP映射,使用特定cisco-av-pair属性无法的。与LDAP映射的cisco-av-pair属性可以用于只指定不同种类的ACL。

在LDAP的这些限制防止它是一样灵活象Radius。对workaroud此本地定义的组策略在与不可能从ldap被映射的属性的ASA可以创建(类似地址池)。一旦LDAP用户验证,他们分配到该组策略(在我们的示例POLICY1),并且非使用物精确归因于从组政策reretrieved的。

LDAP映射支持的全双工属性列表可以在本文找到:Cisco ASA 5500系列配置指南使用CLI, 8.4和8.6

您能比较到RADIUS ASA支持的VPN3000属性详尽列表;参考本文:Cisco ASA 5500系列配置指南使用CLI, 8.4和8.6

参考RADIUS ASA支持的IETF属性详尽列表的本文:Cisco ASA 5500系列配置指南使用CLI, 8.4和8.6

ASA和LDAP与证书验证

ASA不支持LDAP证书属性检索和二进制比较跟Anyconnect提供的证书。该功能为Cisco ACS或ISE保留(和仅为802.1x恳求者),因为VPN验证在网络接入设备(纳季)终止。

有另一soluction。当用户认证使用证书时, ASA执行证书确认,并且能从证书获取根据特定字段的LDAP属性(例如, CN) :

tunnel-group RA general-attributes  
authorization-server-group LDAP
username-from-certificate CN
authorization-required
tunnel-group RA webvpn-attributes
  authentication certificate

在用户证书由ASA后验证, LDAP授权被执行,并且用户属性(从CN字段)获取并且应用。

调试

使用了用户证书:cn=test1,ou=Security,o=Cisco,l=Krakow,st=PL,c=PL

证书映射配置映射该证书对RA隧道群:

crypto ca certificate map MAP-RA 10
 issuer-name co tac
webvpn
certificate-group-map MAP-RA 10 RA

证书确认和映射:

ASA# show debug 
debug ldap  enabled at level 255
debug webvpn anyconnect enabled at level 254
debug crypto ca enabled at level 3
debug crypto ca messages enabled at level 3
debug crypto ca transactions enabled at level 3
Apr 09 2013 17:31:32: %ASA-7-717025: Validating certificate chain containing 1 certificate(s).
Apr 09 2013 17:31:32: %ASA-7-717029: Identified client certificate within certificate chain. serial number: 00FE9C3D61E131CDB1, subject name: cn=test1,ou=Security,o=Cisco,l=Krakow,st=PL,c=PL.
Apr 09 2013 17:31:32: %ASA-6-717022: Certificate was successfully validated. Certificate is resident and trusted, serial number: 00FE9C3D61E131CDB1, subject name: cn=test1,ou=Security,o=Cisco,l=Krakow,st=PL,c=PL.
Apr 09 2013 17:31:32: %ASA-6-717028: Certificate chain was successfully validated with revocation status check.
Apr 09 2013 17:31:32: %ASA-6-725002: Device completed SSL handshake with client outside:192.168.1.88/49179
Apr 09 2013 17:31:32: %ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 00FE9C3D61E131CDB1, subject name: cn=test1,ou=Security,o=Cisco,l=Krakow,st=PL,c=PL, issuer_name: cn=TAC,ou=RAC,o=TAC,l=Warsaw,st=Maz,c=PL.
Apr 09 2013 17:31:32: %ASA-7-717038: Tunnel group match found. Tunnel Group: RA, Peer certificate: serial number: 00FE9C3D61E131CDB1, subject name: cn=test1,ou=Security,o=Cisco,l=Krakow,st=PL,c=PL, issuer_name: cn=TAC,ou=RAC,o=TAC,l=Warsaw,st=Maz,c=PL.

用户名和授权的提取从证书的使用LDAP :

Apr 09 2013 17:31:32: %ASA-7-113028: Extraction of username from VPN client certificate has been requested.  [Request 53]
Apr 09 2013 17:31:32: %ASA-7-113028: Extraction of username from VPN client certificate has started.  [Request 53]
Apr 09 2013 17:31:32: %ASA-7-113028: Extraction of username from VPN client certificate has finished successfully.  [Request 53]
Apr 09 2013 17:31:32: %ASA-7-113028: Extraction of username from VPN client certificate has completed.  [Request 53]
Apr 09 2013 17:31:32: %ASA-6-302013: Built outbound TCP connection 286 for inside:192.168.11.10/389 (192.168.11.10/389) to identity:192.168.11.250/33383 (192.168.11.250/33383)
Apr 09 2013 17:31:32: %ASA-6-113004: AAA user authorization Successful : server =  192.168.11.10 : user = test1
Apr 09 2013 17:31:32: %ASA-6-113003: AAA group policy for user test1 is being set to POLICY1
Apr 09 2013 17:31:32: %ASA-6-113011: AAA retrieved user specific group policy (POLICY1) for user = test1
Apr 09 2013 17:31:32: %ASA-6-113009: AAA retrieved default group policy (MY) for user = test1
Apr 09 2013 17:31:32: %ASA-6-113008: AAA transaction status ACCEPT : user = test1

归因于从LDAP的检索:

Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.cn = John Smith
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.givenName = John
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.sn = test1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.uid = test1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.uidNumber = 10000
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.gidNumber = 10000
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.homeDirectory = /home/cisco
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.mail = jsmith@dev.local
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.1 = top
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.2 = posixAccount
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.3 = shadowAccount
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.4 = inetOrgPerson
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.5 = organizationalPerson
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.6 = person
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.objectClass.7 = CiscoPerson
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.loginShell = /bin/bash
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.userPassword = {CRYPT}*
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoBanner = This is banner 1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoIPAddress = 10.1.1.1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoIPNetmask = 255.255.255.128
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoDomain = domain1.com
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoDNS = 10.6.6.6
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoACLin = ip:inacl#1=permit ip 10.1.1.0 255.255.255.128 10.11.11.0 255.255.255.0
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoSplitACL = ACL1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoSplitTunnelPolicy = 1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.ldap.CiscoGroupPolicy = POLICY1

思科映射attibutes :

Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.grouppolicy = POLICY1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.ipaddress = 10.1.1.1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.username = test1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.username1 = test1
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.username2 = 
Apr 09 2013 17:31:32: %ASA-7-734003: DAP: User test1, Addr 192.168.1.88: Session Attribute aaa.cisco.tunnelgroup = RA
Apr 09 2013 17:31:32: %ASA-6-734001: DAP: User test1, Addr 192.168.1.88, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Apr 09 2013 17:31:32: %ASA-6-113039: Group <POLICY1> User <test1> IP <192.168.1.88> AnyConnect parent session started.
 

附属验证

如果二要素验证要求,与LDAP认证和授权一起使用令牌的密码是可能的:

tunnel-group RA general-attributes
  authentication-server-group RSA  
secondary-authentication-server-group LDAP
  authorization-server-group LDAP
tunnel-group RA webvpn-attributes
  authentication aaa

然后,用户必须提供从RSA的一个用户名和密码(用户有的事?一标记),与LDAP用户名/密码(用户知道)的事一起。使用从证书的一用户名附属验证也是可能的。使用CLI, 8.4和8.6,关于双重身份验证的更多信息,参考Cisco ASA 5500系列配置指南

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 116096