 Feedback
|
Table Of Contents
Enforcing Microsoft Active Directory Policies Using LDAP Attribute Maps
LDAP Attribute Map Configuration Examples
User-Based Attributes Policy Enforcement
Placing Users in a Specific Group-Policy
Enforcing Static IP Address Assignment for AnyConnect Tunnels
Enforcing Dial-in Allow or Deny Access
Enforcing Logon Hours and Time-of-Day Rules
Supported Cisco Attributes for LDAP Authorization
Cisco-AV-Pair Attribute Syntax
Enforcing Microsoft Active Directory Policies Using LDAP Attribute Maps
This document describes using the Adaptive Security Device Manager (ASDM) to configure the ASA 5500 Series Adaptive Security Appliance to enforce Microsoft Active Directory (AD) access policies using LDAP attribute maps.
The examples in this document pertain to Microsoft AD. However, LDAP attribute maps can be used to support other directory servers, such as Novell eDirectory, OpenLDAP, and Sun Directory Server.
This document includes the following sections:
•
LDAP Attribute Map Configuration Examples
•
How LDAP Attribute Maps Work
LDAP is a powerful and flexible protocol for communication with AAA servers. LDAP attribute maps provide a method to cross-reference the attributes retrieved from a directory server to Cisco attributes supported by the security appliance.
When a user authenticates to the security appliance, the security appliance, in turn, authenticates to the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the admin who updates the user records.
Figure 1 shows the Properties window displayed by Microsoft AD for a single user. We have entered Chicago in the Office field, which uses the attribute physicalDeliveryOfficeName. Therefore, when the security appliance retrieves the LDAP record from the server, it includes the attribute physicalDeliveryOfficeName, and its value Chicago.
Unlike support for RADIUS, the security appliance has no hard-coded information about the LDAP attributes it retrieves. You must create an attribute map that maps each LDAP attribute to a Cisco attribute.
Figure 1 LDAP User Properties Window
LDAP Attribute Map Configuration Examples
The following sections provide configuration examples for creating attribute maps:
•
•
•
•
•
User-Based Attributes Policy Enforcement
In this example, we configure the security appliance to enforce a simple banner for a user configured on an AD LDAP server. On the server, we use the Office field in the General tab to enter the banner text. This field uses the attribute named physicalDeliveryOfficeName. On the security appliance, we create an attribute map that maps physicalDeliveryOfficeName to the Cisco attribute Banner1. During authentication, the security appliance retrieves the value of physicalDeliveryOfficeName from the server, maps the value to the Cisco attribute Banner1, and displays the banner to the user.
This example applies to any VPN connection type, including the IPSec client, AnyConnect SSL client, or clientless SSL. For our example, User1 is connecting through a clientless SSL connection.
Step 1
Figure 2 LDAP User configuration
Step 2
In Figure 3, we create the map Banner, and map the AD/LDAP attribute physicalDeliveryOfficeName to the Cisco attribute Banner1:
Figure 3 Create an LDAP Attribute Map
Step 3
In Figure 4, we select the server group MS_LDAP, and the host 3.3.3.4 in that group, and click Edit. Then we enter Banner as the LDAP Attribute Map:
Figure 4 Associate the LDAP Attribute Map to the AAA Server
Figure 5 shows the banner enforced by our attribute map:
Figure 5 Banner Displayed
Placing Users in a Specific Group-Policy
In this example, we authenticate User1 on the AD LDAP server to a specific group policy on the security appliance. On the server, we use the Department field of the Organization tab to enter the name of the group policy. Then we create an attribute map and map Department to the Cisco attribute IETF-Radius-Class. During authentication, the security appliance retrieves the value of Department from the server, maps the value to the IETF-Radius-Class, and places User1 in the group policy.
This case applies to any VPN connection type, including the IPSec client, AnyConnect SSL client, or clientless SSL. For this example, user1 is connecting through a clientless SSL connection.
Step 1
Right-click the user. The Properties window displays (Figure 6). Click the Organization tab and enter Group-Policy-1 in the Department field.
Figure 6 AD LDAP Department attribute
Step 2
In Figure 7 we create the map named group_policy and we map the AD attribute Department to the Cisco attribute IETF-Radius-Class:
Figure 7 Create an Attribute Map
Step 3
In Figure 8 we select host 3.3.3.4, in the AAA server group MS_LDAP, and enter the name of our attribute map, group_policy:
Figure 8 Associate the LDAP Attribute Map to the AAA Server
Step 4
In Figure 9 we create the group policy group-policy-1, the name entered in the Department field on the server:
Figure 9 Create a Group Policy
You can use CLI to monitor the communication between the security appliance and the server by enabling the debug ldap 255 command from privileged EXEC mode. Below is sample output of this command. The output has been edited to provide the key messages:
[29] Authentication successful for user1 to 3.3.3.4
[29] Retrieving user attributes from server 3.3.3.4
[29] Retrieved Attributes:
[29] department: value = Group-Policy-1
[29] mapped to IETF-Radius-Class: value = Group-Policy-1
Enforcing Static IP Address Assignment for AnyConnect Tunnels
In this example, we configure the AnyConnect client user Web1 to receive a static IP Address. We enter the address in the Assign Static IP Address field of the Dialin tab on the AD LDAP server. This field uses the msRADIUSFramedIPAddress attribute. We create an attribute map that maps it to the Cisco attribute IETF-Radius-Framed-IP-Address.
During authentication, the security appliance retrieves the value of msRADIUSFramedIPAddress from the server, maps the value to the Cisco attribute IETF-Radius-Framed-IP-Address, and provides the static address to User1.
This example applies to full-tunnel clients, including the IPSec client and the SSL VPN clients (AnyConnect client 2.x and the legacy SSL VPN client).
Step 1
Right-click on the user name. The Properties window displays (Figure 10). Click the Dialin tab, check Assign Static IP Address, and enter an IP address. For our example, we use 3.3.3.233.
Figure 10 Assign Static IP Address
Step 2
In this case we map the AD attribute msRADIUSFrameIPAddress used by the Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address.
Figure 11 Create an Attribute Map
Step 3
In Figure 12 we select the host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map static_address:
Figure 12 Associate the LDAP Attribute Map to the AAA Server
If you establish a connection to the security appliance with the AnyConnect client, you can observe the following:
•
•
Figure 13 Verify the Banner for the AnyConnect Session
Figure 14 AnyConnect Session Established
You can use CLI to view the session details and verify the address assigned using the show vpn-sessiondb svc command:
hostname# show vpn-sessiondb svcSession Type: SVCUsername : web1 Index : 31Assigned IP : 3.3.3.233 Public IP : 10.86.181.70Protocol : Clientless SSL-Tunnel DTLS-TunnelEncryption : RC4 AES128 Hashing : SHA1Bytes Tx : 304140 Bytes Rx : 470506Group Policy : VPN_User_Group Tunnel Group : UseCase3_TunnelGroupLogin Time : 11:13:05 UTC Tue Aug 28 2007Duration : 0h:01m:48sNAC Result : UnknownVLAN Mapping : N/A VLAN : noneBXB-ASA5540#Enforcing Dial-in Allow or Deny Access
In this example, we create an LDAP attribute map that specifies the tunneling protocols allowed for the user. We map the Allow Access and Deny Access settings on the Dialin tab to the Cisco attribute Tunneling-Protocols. The Cisco Tunneling-Protocols supports the map values shown in Table 1:
Table 1 Bitmap Values for Cisco Tunneling-Protocol Attribute
Using this attribute, we create an Allow Access (TRUE) or a Deny (FALSE) condition for the protocols and enforce what method the user is allowed access with.
For this simplified example, by mapping the tunnel-protocol IPSec (4), we can create an allow (true) condition for the IPSec Client. We also map WebVPN (16) and SVC/AC (32) which is mapped as value of 48 (16+32) and create a deny (false) condition. This allows the user to connect to the security appliance using IPSec, but any attempt to connect using clientless SSL or the AnyConnect client is denied.
Step 1
Right-click on the user. The Properties window displays. Click the Dial-in tab. Select Allow Access (Figure 15).
Figure 15 Configure the User Attributes on the AD LDAP Server
Note
Step 2
In Figure 16 we create the map tunneling_protocols, and enter map values for the AD attribute msNPAllowDialin used by the Allow Access setting to the Cisco attribute Tunneling-Protocols:
Figure 16 Create an Attribute Map
Step 3
In Figure 17 we edit the AAA server settings for the host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map tunneling_protocols that we created in step 2:
Figure 17 Associate the LDAP Attribute Map to the AAA Server
If you connect to the security appliance using a PC as a remote user would, a clientless or AnyConnect connection fails and the user is informed that an unauthorized connection mechanism was the reason for the failed connection (Figure 18 and Figure 19). An IPSec client connects because IPSec is an allowed tunneling protocol according to attribute map.
Figure 18 Login Denied Message for Clientless User
Figure 19 Login Denied Message for AnyConnect Client User.
Enforcing Logon Hours and Time-of-Day Rules
In this example, we configure and enforce the hours that a clientless SSL user is allowed to access the network. A good example of this is when you want to allow a business partner access to the network only during normal business hours.
For our example, on the AD server, we use the Office field to enter the name of the partner. This field uses the physicalDeliveryOfficeName attribute. Then we create an attribute map on the security appliance to map that attribute to the Cisco attribute Access-Hours. During authentication, the security appliance retrieves the value of physicalDeliveryOfficeName (the Office field) and maps it to Access-Hours.
Step 1
Select the user. Right click on Properties. The Properties window displays (Figure 20). Enter the partner name in the Office field of the General tab:
Figure 20 Active Directory - Time-range
Step 2
In this example, we create the attribute map access_hours and map the AD attribute physicalDeliveryOfficeName used by the Office field to the Cisco attribute Access-Hours.
Figure 21 Create an Attribute Map
Step 3
In Figure 22 we edit the AAA server configuration host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map access_hours that we created in step 2:
Figure 22 Associate the LDAP Attribute Map to the AAA Server
Step 4
In Figure 23 we configure Partner access hours from 9am to 5pm Monday through Friday:
Figure 23 Configure Time Ranges for Each Value Allowed on the Server
Supported Cisco Attributes for LDAP Authorization
This section provides a complete list of attributes (Table 2) for the ASA 5500, VPN 3000, and PIX 500 series security appliances. The table includes attribute support information for the VPN 3000 and PIX 500 series to assist you in configuring networks with a mixture of these security appliances.
Table 2 Security Appliance Supported Cisco Attributes for LDAP Authorization
TypeAccess-Hours
Y
Y
Y
String
Single
Name of the time-range
(for example, Business-Hours)Allow-Network-Extension- Mode
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledAuthenticated-User-Idle- Timeout
Y
Y
Y
Integer
Single
1 - 35791394 minutes
Authorization-Required
Y
Integer
Single
0 = No
1 = YesAuthorization-Type
Y
Integer
Single
0 = None
1 = RADIUS
2 = LDAPAuth-Service-Type
Banner1
Y
Y
Y
String
Single
Banner string
Banner2
Y
Y
Y
String
Single
Banner string
Cisco-AV-Pair
Y
Y
Y
String
Multi
An octet string in the following format:
[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]
For more information, see "Cisco-AV-Pair Attribute Syntax."
Cisco-IP-Phone-Bypass
Y
Y
Y
Integer
Single
0 = Disabled
1 = EnabledCisco-LEAP-Bypass
Y
Y
Y
Integer
Single
0 = Disabled
1 = EnabledClient-Intercept-DHCP- Configure-Msg
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledClient-Type-Version-Limiting
Y
Y
Y
String
Single
IPSec VPN client version number string
Confidence-Interval
Y
Y
Y
Integer
Single
10 - 300 seconds
DHCP-Network-Scope
Y
Y
Y
String
Single
IP address
DN-Field
Y
Y
Y
String
Single
Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name.
Firewall-ACL-In
Y
Y
String
Single
Access list ID
Firewall-ACL-Out
Y
Y
String
Single
Access list ID
IE-Proxy-Bypass-Local
Boolean
Single
0=Disabled
1=EnabledIE-Proxy-Exception-List
String
Single
A list of DNS domains. Entries must be separated by the new line character sequence (\n).
IE-Proxy-Method
Y
Y
Y
Integer
Single
1 = Do not modify proxy settings
2 = Do not use proxy
3 = Auto detect
4 = Use security appliance settingIE-Proxy-Server
Y
Y
Y
Integer
Single
IP Address
IETF-Radius-Class
Y
Y
Y
Single
Sets the group policy for the remote access VPN session
IETF-Radius-Filter-Id
Y
Y
Y
String
Single
access list name that is defined on the security appliance
IETF-Radius-Framed-IP-Address
Y
Y
Y
String
Single
An IP address
IETF-Radius-Framed-IP-Netmask
Y
Y
Y
String
Single
An IP address mask
IETF-Radius-Idle-Timeout
Y
Y
Y
Integer
Single
minutes
IETF-Radius-Service-Type
Y
Y
Y
Integer
Single
IETF-Radius-Session-Timeout
Y
Y
Y
Integer
Single
IKE-Keep-Alives
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledIPSec-Allow-Passwd-Store
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledIPSec-Authentication
Y
Y
Y
Integer
Single
0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI (RSA)
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active DirectoryIPSec-Auth-On-Rekey
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledIPSec-Backup-Server-List
Y
Y
Y
String
Single
Server Addresses (space delimited)
IPSec-Backup-Servers
Y
Y
Y
String
Single
1 = Use Client-Configured list
2 = Disabled and clear client list
3 = Use Backup Server listIPSec-Client-Firewall-Filter- Name
Y
String
Single
Specifies the name of the filter to be pushed to the client as firewall policy.
IPSec-Client-Firewall-Filter- Optional
Y
Y
Y
Integer
Single
0 = Required
1 = OptionalIPSec-Default-Domain
Y
Y
Y
String
Single
Specifies the single default domain name to send to the client (1 - 255 characters).
IPSec-IKE-Peer-ID-Check
Y
Y
Y
Integer
Single
1 = Required
2 = If supported by peer certificate
3 = Do not checkIPSec-IP-Compression
Y
Y
Y
Integer
Single
0 = Disabled
1 = EnabledIPSec-Mode-Config
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledIPSec-Over-UDP
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledIPSec-Over-UDP-Port
Y
Y
Y
Integer
Single
4001 - 49151; default = 10000
IPSec-Required-Client-Firewall-
CapabilityY
Y
Y
Integer
Single
0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from serverIPSec-Sec-Association
Y
String
Single
Name of the security association
IPSec-Split-DNS-Names
Y
Y
Y
String
Single
Specifies the list of secondary domain names to send to the client (1 - 255 characters).
IPSec-Split-Tunneling-Policy
Y
Y
Y
Integer
Single
0 = Tunnel everything
1 = Split tunneling
2 = Local LAN permittedIPSec-Split-Tunnel-List
Y
Y
Y
String
Single
Specifies the name of the network or access list that describes the split tunnel inclusion list.
IPSec-Tunnel-Type
Y
Y
Y
Integer
Single
1 = LAN-to-LAN
2 = Remote accessIPSec-User-Group-Lock
Y
Boolean
Single
0 = Disabled
1 = EnabledL2TP-Encryption
Y
Integer
Single
Bitmap:
1 = Encryption required
2 = 40 bit
4 = 128 bits
8 = Stateless-Req
15 = 40/128-Encr/Stateless-ReqL2TP-MPPC-Compression
Y
Integer
Single
0 = Disabled
1 = EnabledMS-Client-Subnet-Mask
Y
Y
Y
String
Single
An IP address
PFS-Required
Y
Y
Y
Boolean
Single
0 = No
1 = YesPort-Forwarding-Name
Y
Y
String
Single
Name string (for example, "Corporate-Apps")
PPTP-Encryption
Y
Integer
Single
Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-RequiredExample:
15 = 40/128-Encr/Stateless-ReqPPTP-MPPC-Compression
Y
Integer
Single
0 = Disabled
1 = EnabledPrimary-DNS
Y
Y
Y
String
Single
An IP address
Primary-WINS
Y
Y
Y
String
Single
An IP address
Privilege-Level
Required-Client- Firewall-Vendor-Code
Y
Y
Y
Integer
Single
1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)Required-Client-Firewall- Description
Y
Y
Y
String
Single
String
Required-Client-Firewall- Product-Code
Y
Y
Y
Integer
Single
Cisco Systems Products:
1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)
Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs IntegrityNetworkICE Product:
1 = BlackIce Defender/Agent
Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security AgentRequire-HW-Client-Auth
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledRequire-Individual-User-Auth
Y
Y
Y
Integer
Single
0 = Disabled
1 = EnabledSecondary-DNS
Y
Y
Y
String
Single
An IP address
Secondary-WINS
Y
Y
Y
String
Single
An IP address
SEP-Card-Assignment
Integer
Single
Not used
Simultaneous-Logins
Y
Y
Y
Integer
Single
0-2147483647
Strip-Realm
Y
Y
Y
Boolean
Single
0 = Disabled
1 = EnabledTACACS-Authtype
Y
Y
Y
Interger
Single
TACACS-Privilege-Level
Y
Y
Y
Interger
Single
Tunnel-Group-Lock
Y
Y
String
Single
Name of the tunnel group or "none"
Tunneling-Protocols
Y
Y
Y
Integer
Single
1 = PPTP
2 = L2TP
4 = IPSec
8 = L2TP/IPSec
16 = WebVPN.
8 and 4 are mutually exclusive
(0 - 11, 16 - 27 are legal values)Use-Client-Address
Y
Boolean
Single
0 = Disabled
1 = EnabledUser-Auth-Server-Name
Y
String
Single
IP address or hostname
User-Auth-Server-Port
Y
Integer
Single
Port number for server protocol
User-Auth-Server-Secret
Y
String
Single
Server password
WebVPN-ACL-Filters
Y
String
Single
Access-List name
WebVPN-Apply-ACL-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Citrix-Support-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Content-Filter- Parameters
Y
Y
Integer
Single
1 = Java & ActiveX
2 = Java scripts
4 = Images
8 = Cookies in imagesAdd the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)
WebVPN-Enable-functions
Integer
Single
Not used - deprecated
WebVPN-Exchange-Server- Address
String
Single
Not used - deprecated
WebVPN-Exchange-Server- NETBIOS-Name
String
Single
Not used - deprecated
WebVPN-File-Access-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-File-Server-Browsing-
EnableY
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-File-Server-Entry- Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Forwarded-Ports
Y
String
Single
Port-Forward list name
WebVPN-Homepage
Y
Y
String
Single
A URL such as http://example-portal.com.
WebVPN-Macro-Substitution-
Value1Y
Y
String
Single
WebVPN-Macro-Substitution-
Value2Y
Y
String
Single
WebVPN-Port-Forwarding- Auto-Download-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Port-Forwarding- Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Port-Forwarding- Exchange-Proxy-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Port-Forwarding- HTTP-Proxy-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-Single-Sign-On- Server-Name
Y
String
Single
Name of the SSO Server (1 - 31 characters).
WebVPN-SVC-Client-DPD
Y
Y
Integer
Single
0 = Disabled
n = Dead Peer Detection value in seconds (30 - 3600)WebVPN-SVC-Compression
Y
Y
Integer
Single
0 = None
1 = Deflate CompressionWebVPN-SVC-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-SVC-Gateway-DPD
Y
Y
Integer
Single
0 = Disabled
n = Dead Peer Detection value in seconds (30 - 3600)WebVPN-SVC-Keepalive
Y
Y
Integer
Single
0 = Disabled
n = Keepalive value in seconds (15 - 600)WebVPN-SVC-Keep-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-SVC-Rekey-Method
Y
Y
Integer
Single
0 = None
1 = SSL
2 = New tunnel
3 = Any (sets to SSL)WebVPN-SVC-Rekey-Period
Y
Y
Integer
Single
0 = Disabled
n = Retry period in minutes
(4 - 10080)WebVPN-SVC-Required-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-URL-Entry-Enable
Y
Y
Integer
Single
0 = Disabled
1 = EnabledWebVPN-URL-List
Y
String
Single
URL-list name
Cisco-AV-Pair Attribute Syntax
The syntax of each Cisco-AV-Pair rule is as follows:
[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]
Table 3 describes the syntax rules.
For example:
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 logip:inacl#2=permit TCP any host 10.160.0.1 eq 80 logwebvpn:inacl#1=permit url http://www.website.comwebvpn:inacl#2=deny smtp any host 10.1.3.5webvpn:inacl#3=permit url cifs://mar_server/peopleshare1
Note
Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN clientless (browser-mode) tunnels.
Table 4 lists the tokens for the Cisco-AV-pair attribute:
