Beruflich Dokumente
Kultur Dokumente
This document describes using the Adaptive Security Device Manager (ASDM) to configure the ASA 5500 Series Adaptive Security Appliance to enforce Microsoft Active Directory (AD) access policies using LDAP attribute maps. The examples in this document pertain to Microsoft AD. However, LDAP attribute maps can be used to support other directory servers, such as Novell eDirectory, OpenLDAP, and Sun Directory Server. This document includes the following sections:
How LDAP Attribute Maps Work, page 2 LDAP Attribute Map Configuration Examples, page 3 Supported Cisco Attributes for LDAP Authorization, page 25
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
OL-xxxxx-xx
User-Based Attributes Policy Enforcement Placing Users in a Specific Group-Policy Enforcing Static IP Address Assignment for AnyConnect Tunnels Enforcing Dial-in Allow or Deny Access Enforcing Logon Hours and Time-of-Day Rules
Configure the attributes for a user on the AD/LDAP server. Right-click a user. The Properties window displays (Figure 2). Click the General tab and enter some banner text in the Office field. The Office field uses AD/LDAP attribute physicalDeliveryOfficeName.
Figure 2 LDAP User configuration
OL-xxxxx-xx
Step 2
Create an LDAP attribute map on the security appliance: In Figure 3, we create the map Banner, and map the AD/LDAP attribute physicalDeliveryOfficeName to the Cisco attribute Banner1:
Figure 3 Create an LDAP Attribute Map
OL-xxxxx-xx
Step 3
Associate the LDAP attribute map to the AAA server. In Figure 4, we select the server group MS_LDAP, and the host 3.3.3.4 in that group, and click Edit. Then we enter Banner as the LDAP Attribute Map:
Figure 4 Associate the LDAP Attribute Map to the AAA Server
OL-xxxxx-xx
OL-xxxxx-xx
Configure the attributes for the user on the AD LDAP Server. Right-click the user. The Properties window displays (Figure 6). Click the Organization tab and enter Group-Policy-1 in the Department field.
Figure 6 AD LDAP Department attribute
OL-xxxxx-xx
Step 2
Create an attribute map for the LDAP configuration shown in Step 1. In Figure 7 we create the map named group_policy and we map the AD attribute Department to the Cisco attribute IETF-Radius-Class:
Figure 7 Create an Attribute Map
OL-xxxxx-xx
Step 3
Associate the LDAP attribute map to the AAA server. In Figure 8 we select host 3.3.3.4, in the AAA server group MS_LDAP, and enter the name of our attribute map, group_policy:
Figure 8 Associate the LDAP Attribute Map to the AAA Server
OL-xxxxx-xx
Step 4
Add the new group-policy on the security appliance and configure the required policy attributes that will be assigned to the user. In Figure 9 we create the group policy group-policy-1, the name entered in the Department field on the server:
Figure 9 Create a Group Policy
You can use CLI to monitor the communication between the security appliance and the server by enabling the debug ldap 255 command from privileged EXEC mode. Below is sample output of this command. The output has been edited to provide the key messages: [29] Authentication successful for user1 to 3.3.3.4 [29] Retrieving user attributes from server 3.3.3.4 [29] Retrieved Attributes: [29] department: value = Group-Policy-1 [29] mapped to IETF-Radius-Class: value = Group-Policy-1
10
OL-xxxxx-xx
Configure the user attributes on the AD LDAP server. Right-click on the user name. The Properties window displays (Figure 10). Click the Dialin tab, check Assign Static IP Address, and enter an IP address. For our example, we use 3.3.3.233.
Figure 10 Assign Static IP Address
OL-xxxxx-xx
11
Step 2
Create an attribute map for the LDAP configuration shown in Step 1. In this case we map the AD attribute msRADIUSFrameIPAddress used by the Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address.
Figure 11 Create an Attribute Map
12
OL-xxxxx-xx
Step 3
Associate the LDAP attribute map to the AAA server. In Figure 12 we select the host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map static_address:
Figure 12 Associate the LDAP Attribute Map to the AAA Server
OL-xxxxx-xx
13
If you establish a connection to the security appliance with the AnyConnect client, you can observe the following:
The banner is received in the same sequence as a clientless connection (Figure 13). The user receives the IP address configured on the server and mapped to the security appliance (Figure 14).
Verify the Banner for the AnyConnect Session
Figure 13
14
OL-xxxxx-xx
Figure 14
You can use CLI to view the session details and verify the address assigned using the show vpn-sessiondb svc command:
hostname# show vpn-sessiondb svc Session Type: SVC Username : web1 Index Assigned IP : 3.3.3.233 Public IP Protocol : Clientless SSL-Tunnel DTLS-Tunnel Encryption : RC4 AES128 Hashing Bytes Tx : 304140 Bytes Rx Group Policy : VPN_User_Group Tunnel Group Login Time : 11:13:05 UTC Tue Aug 28 2007 Duration : 0h:01m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN BXB-ASA5540#
: none
OL-xxxxx-xx
15
Map Value 1 2 4 8
1 2
Tunneling Protocol PPTP L2TP IPSec L2TP/IPSEC clientless SSL SSL ClientAnyConnect or legacy SSL VPN client
16 32
1. IPSec and L2TP over IPSec are not supported simultaneously. Therefore, the values 4 and 8 are mutually exclusive. 2. See note 1.
Using this attribute, we create an Allow Access (TRUE) or a Deny (FALSE) condition for the protocols and enforce what method the user is allowed access with. For this simplified example, by mapping the tunnel-protocol IPSec (4), we can create an allow (true) condition for the IPSec Client. We also map WebVPN (16) and SVC/AC (32) which is mapped as value of 48 (16+32) and create a deny (false) condition. This allows the user to connect to the security appliance using IPSec, but any attempt to connect using clientless SSL or the AnyConnect client is denied.
16
OL-xxxxx-xx
Step 1
Configure the user attributes on the AD LDAP server. Right-click on the user. The Properties window displays. Click the Dial-in tab. Select Allow Access (Figure 16).
Figure 15 Configure the User Attributes on the AD LDAP Server
Note
If you select Control access through Remote Access Policy, a value is not returned from the server and the permissions are enforced based on the internal group policy settings.
OL-xxxxx-xx
17
Step 2
Create an attribute map to allow both an IPSec and AnyConnect connection, but deny a clientless SSL connection. In Figure 16 we create the map tunneling_protocols, and enter map values for the AD attribute msNPAllowDialin used by the Allow Access setting to the Cisco attribute Tunneling-Protocols:
Figure 16 Create an Attribute Map
18
OL-xxxxx-xx
Step 3
Associate the LDAP attribute map to the AAA server. In Figure 17 we edit the AAA server settings for the host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map tunneling_protocols that we created in step 2:
Figure 17 Associate the LDAP Attribute Map to the AAA Server
OL-xxxxx-xx
19
If you connect to the security appliance using a PC as a remote user would, a clientless or AnyConnect connection fails and the user is informed that an unauthorized connection mechanism was the reason for the failed connection (Figure 18 and Figure 19). An IPSec client connects because IPSec is an allowed tunneling protocol according to attribute map.
Figure 18 Login Denied Message for Clientless User
20
OL-xxxxx-xx
Figure 19
Configure the user attributes on the AD LDAP server. Select the user. Right click on Properties. The Properties window displays (Figure 20). Enter the partner name in the Office field of the General tab:
OL-xxxxx-xx
21
Figure 20
Step 2
Create an attribute map. In this example, we create the attribute map access_hours and map the AD attribute physicalDeliveryOfficeName used by the Office field to the Cisco attribute Access-Hours.
Figure 21 Create an Attribute Map
22
OL-xxxxx-xx
Step 3
Associate the LDAP attribute map to the AAA server. In Figure 22 we edit the AAA server configuration host 3.3.3.4, in the AAA server group MS_LDAP, and associate the attribute map access_hours that we created in step 2:
Figure 22 Associate the LDAP Attribute Map to the AAA Server
OL-xxxxx-xx
23
Step 4
Configure time ranges for each value allowed on the server. In this case, we entered Partner in the Office field for User1. Therefore, there must be a time range configured for Partner. In Figure 23 we configure Partner access hours from 9am to 5pm Monday through Friday:
Figure 23 Configure Time Ranges for Each Value Allowed on the Server
24
OL-xxxxx-xx
Single or Multi-Valued Possible Values Single Name of the time-range (for example, Business-Hours) 0 = Disabled 1 = Enabled 1 - 35791394 minutes 0 = No 1 = Yes 0 = None 1 = RADIUS 2 = LDAP Banner string Banner string An octet string in the following format: [Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port] For more information, see Cisco-AV-Pair Attribute Syntax.
Auth-Service-Type Banner1 Banner2 Cisco-AV-Pair Y Y Y Y Y Y Y Y Y String String String Single Single Multi
Y Y Y Y Y Y Y
Y Y Y Y Y Y Y
Y Y Y Y Y Y Y
Integer Integer
Single Single
0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled IPSec VPN client version number string 10 - 300 seconds IP address Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name.
Boolean Single String Integer String String Single Single Single Single
OL-xxxxx-xx
25
Table 2
Single or Multi-Valued Possible Values Single Single Access list ID Access list ID 0=Disabled 1=Enabled A list of DNS domains. Entries must be separated by the new line character sequence (\n). 1 = Do not modify proxy settings 2 = Do not use proxy 3 = Auto detect 4 = Use security appliance setting IP Address Sets the group policy for the remote access VPN session access list name that is defined on the security appliance An IP address An IP address mask minutes
IE-Proxy-Method
Integer
Single
IE-Proxy-Server IETF-Radius-Class IETF-Radius-Filter-Id IETF-Radius-Framed-IP-Address IETF-Radius-Framed-IP-Netmask IETF-Radius-Idle-Timeout IETF-Radius-Service-Type IETF-Radius-Session-Timeout IKE-Keep-Alives IPSec-Allow-Passwd-Store IPSec-Authentication
Y Y Y Y Y Y Y Y Y Y Y
Y Y Y Y Y Y Y Y Y Y Y
Y Y Y Y Y Y Y Y Y Y Y
Integer
Single Single
0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = None 1 = RADIUS 2 = LDAP (authorization only) 3 = NT Domain 4 = SDI (RSA) 5 = Internal 6 = RADIUS with Expiry 7 = Kerberos/Active Directory 0 = Disabled 1 = Enabled Server Addresses (space delimited) 1 = Use Client-Configured list 2 = Disabled and clear client list 3 = Use Backup Server list
Y Y Y
Y Y Y
Y Y Y
26
OL-xxxxx-xx
Table 2
Attribute Name/
Single or Multi-Valued Possible Values Single Specifies the name of the filter to be pushed to the client as firewall policy. 0 = Required 1 = Optional Specifies the single default domain name to send to the client (1 - 255 characters). 1 = Required 2 = If supported by peer certificate 3 = Do not check 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 4001 - 49151; default = 10000 0 = None 1 = Policy defined by remote FW Are-You-There (AYT) 2 = Policy pushed CPP 4 = Policy from server Name of the security association Specifies the list of secondary domain names to send to the client (1 - 255 characters). 0 = Tunnel everything 1 = Split tunneling 2 = Local LAN permitted Specifies the name of the network or access list that describes the split tunnel inclusion list. 1 = LAN-to-LAN 2 = Remote access 0 = Disabled 1 = Enabled
IPSec-Client-Firewall-Filter- Name Y
IPSec-Client-Firewall-FilterOptional IPSec-Default-Domain
Y Y
Y Y
Y Y
Integer String
Single Single
IPSec-IKE-Peer-ID-Check
Integer
Single
Y Y Y Y Y
Y Y Y Y Y
Y Y Y Y Y
Integer
Single
IPSec-Sec-Association IPSec-Split-DNS-Names
Y Y Y Y
String String
Single Single
IPSec-Split-Tunneling-Policy
Integer
Single
IPSec-Split-Tunnel-List
String
Single
IPSec-Tunnel-Type IPSec-User-Group-Lock
Y Y
Integer
Single
Boolean Single
OL-xxxxx-xx
27
Table 2
Single or Multi-Valued Possible Values Single Bitmap: 1 = Encryption required 2 = 40 bit 4 = 128 bits 8 = Stateless-Req 15 = 40/128-Encr/Stateless-Req
Y Y Y Y Y Y Y Y Y Y
Integer String
Single Single
0 = Disabled 1 = Enabled An IP address 0 = No 1 = Yes Name string (for example, Corporate-Apps) Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required Example: 15 = 40/128-Encr/Stateless-Req
Y Y Y Y Y Y Y
Integer
Single
1 = Cisco Systems (with Cisco Integrated Client) 2 = Zone Labs 3 = NetworkICE 4 = Sygate 5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent) String
Required-Client-FirewallDescription
String
Single
28
OL-xxxxx-xx
Table 2
Single or Multi-Valued Possible Values Single Cisco Systems Products: 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: 1 = Zone Alarm 2 = Zone AlarmPro 3 = Zone Labs Integrity NetworkICE Product: 1 = BlackIce Defender/Agent Sygate Products: 1 = Personal Firewall 2 = Personal Firewall Pro 3 = Security Agent
Require-HW-Client-Auth Require-Individual-User-Auth Secondary-DNS Secondary-WINS SEP-Card-Assignment Simultaneous-Logins Strip-Realm TACACS-Authtype TACACS-Privilege-Level Tunnel-Group-Lock Tunneling-Protocols
Y Y Y Y Y Y Y Y Y
Y Y Y Y Y Y Y Y Y Y
Y Y Y Y Y Y Y Y Y Y
Boolean Single Integer String String Integer Integer Single Single Single Single Single
0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled An IP address An IP address Not used 0-2147483647 0 = Disabled 1 = Enabled
Boolean Single Interger Single Interger Single String Integer Single Single
Name of the tunnel group or none 1 = PPTP 2 = L2TP 4 = IPSec 8 = L2TP/IPSec 16 = WebVPN. 8 and 4 are mutually exclusive (0 - 11, 16 - 27 are legal values) 0 = Disabled 1 = Enabled IP address or hostname Port number for server protocol Server password Access-List name
Y Y Y Y Y
Boolean Single String Integer String String Single Single Single Single
OL-xxxxx-xx
29
Table 2
Single or Multi-Valued Possible Values Single Single Single 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 1 = Java & ActiveX 2 = Java scripts 4 = Images 8 = Cookies in images Add the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)
WebVPN-Enable-functions WebVPN-Exchange-ServerAddress WebVPN-Exchange-ServerNETBIOS-Name WebVPN-File-Access-Enable WebVPN-File-Server-BrowsingEnable WebVPN-File-Server-EntryEnable WebVPN-Forwarded-Ports WebVPN-Homepage WebVPN-Macro-SubstitutionValue1 WebVPN-Macro-SubstitutionValue2 WebVPN-Port-ForwardingAuto-Download-Enable WebVPN-Port-Forwarding- Enable WebVPN-Port-ForwardingExchange-Proxy-Enable WebVPN-Port-ForwardingHTTP-Proxy-Enable WebVPN-Single-Sign-OnServer-Name Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
Integer String String Integer Integer Integer String String String String Integer Integer Integer Integer String
Single Single Single Single Single Single Single Single Single Single Single Single Single Single Single
Not used - deprecated Not used - deprecated Not used - deprecated 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled Port-Forward list name A URL such as http://example-portal.com.
0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled Name of the SSO Server (1 - 31 characters).
30
OL-xxxxx-xx
Table 2
Single or Multi-Valued Possible Values Single 0 = Disabled n = Dead Peer Detection value in seconds (30 - 3600) 0 = None 1 = Deflate Compression 0 = Disabled 1 = Enabled 0 = Disabled n = Dead Peer Detection value in seconds (30 - 3600) 0 = Disabled n = Keepalive value in seconds (15 600) 0 = Disabled 1 = Enabled 0 = None 1 = SSL 2 = New tunnel 3 = Any (sets to SSL) 0 = Disabled n = Retry period in minutes (4 - 10080) 0 = Disabled 1 = Enabled 0 = Disabled 1 = Enabled URL-list name
Y Y Y
Y Y Y
WebVPN-SVC-Keepalive
Integer
Single
WebVPN-SVC-Keep-Enable WebVPN-SVC-Rekey-Method
Y Y
Y Y
Integer Integer
Single Single
WebVPN-SVC-Rekey-Period
Integer
Single
Y Y
Y Y Y
Field Prefix
Description A unique identifier for the AV pair. For example: ip:inacl#1= (for standard access lists) or webvpn:inacl# (for clientless SSL VPN access lists). This field only appears when the filter has been sent as an AV pair. Action to perform if rule matches: deny, permit.
Action
OL-xxxxx-xx
31
Table 3
Description Number or name of an IP protocol. Either an integer in the range 0 - 255 or one of the following keywords: icmp, igmp, ip, tcp, udp. Network or host that sends the packet. Specify it as an IP address, a hostname, or the keyword any. If using an IP address, the source wildcard mask must follow. The wildcard mask that applies to the source address. Network or host that receives the packet. Specify as an IP address, a hostname, or the keyword any. If using an IP address, the source wildcard mask must follow. The wildcard mask that applies to the destination address. Generates a FILTER log message. You must use this keyword to generate events of severity level 9. Logic operators: greater than, less than, equal to, not equal to. The number of a TCP or UDP port in the range 0 - 65535.
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log webvpn:inacl#1=permit url http://www.website.com webvpn:inacl#2=deny smtp any host 10.1.3.5 webvpn:inacl#3=permit url cifs://mar_server/peopleshare1
Note
Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL VPN Client (SVC) tunnels. Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN clientless (browser-mode) tunnels. Table 4 lists the tokens for the Cisco-AV-pair attribute:
Table 4
Syntax Field N/A (Identifier) N/A (Identifier) Action Action Protocol Protocol
Description (Where Num is a unique integer.) Starts all AV pair access control lists. Enforces access lists for remote IPSec and SSL VPN (SVC) tunnels. (Where Num is a unique integer.) Starts all clientless SSL AV pair access control lists. Enforces access lists for clientless (browser-mode) tunnels. Denies action. (Default) Allows action. Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP)
32
OL-xxxxx-xx
Table 4
Syntax Field Protocol Protocol Protocol Protocol Protocol Protocol Hostname Hostname Log Operator Operator Operator Operator Operator
Description Internet Protocol (IP) Internet Protocol (IP) Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) User Datagram Protocol (UDP) Rule applies to any host. Any alpha-numeric string that denotes a hostname. When the event is hit, a filter log message appears. (Same as permit and log or deny and log.) Less than value Greater than value Equal to value Not equal to value Inclusive range. Should be followed by two values.
OL-xxxxx-xx
33
34
OL-xxxxx-xx