ASA & LDAP Authorization

Similar Messages

• LDAP authorization for VPN

  I am having problems getting the LDAP authorization to work. None of the instructions I find seem to coincide with my version of ASDM 5.0(7) and ASA 7.0(7).
  SO if anyone has the right instructions for these version can you send me a link?
  I get as far of testing it and it fails. When I test it asks for a user name but never a password. so I am not sure what I am doing wrong.
  Any help appreciated.

  Post your AAA & VPN profile config from the device please?

• ASA LDAP doesn't see constructed attribute

  I'm in the process of configuring an ASA running 8.4(4)1 for AnyConnect and I'm using certificate authentication with LDAP authorization.  I would like to use a DAP to check the value of LDAP attribute mSDS-User-Account-Control-Computed. However, apparently because this attribute is a constructed attribute, it doesn't show up in the ldap debug or the dap trace on the ASA.  My research seems to indicate that because this attribute is constructed, it won't be sent unless specifically requested. 
  Is there anything on the ASA that can be done to request this attribute?  Does anyone have any experience with LDAP on the ASAs?
  Thanks.
  -Ben

  Wrong forum, post in Security. You can move your post using the actions panel on the right.

• Using OWSM for SAML verification and LDAP authorization

  I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
  Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
  Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
  Won't I need any EXTRACT CREDENTIAL step?
  Regards
  Farbod

  When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
  In general, one could follow these articles to achieve AD Authentication:
  [http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
  [http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
  To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
  Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
  In our case, there's an admin who knows what sql is and how to work with it.
  Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

• LDAP Authorization Example

  Hello;
  Does anyone have a good example of an LDAP authorization script? The examples on the Cisco website don't provide enough detail. This version of LDAP is Windows 2003 Active Directory.
  Thank You

  Refer this document to Configuring an LDAP Server for VPN Concentrator User Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/ldapapp.htm#1533072

• LDAP authorization problem in OC4J 10.1.3. using OID

  I'm attempting to secure a j2ee application using OID and SSO. I'm using the standard OID Security Provider.As long as my user in ldap is located within a group that is part of the cn=groups everything works fine. However, if the user is defined in a nested group authentication fails.
  Scenario 1 (working):
  cn=mse-se-staff,cn=groups,dc=global,dc=mycompany,dc=net
  Scenario 2 (not working):
  cn=mse-se-staff,cn=exchange,cn=groups,dc=global,dc=mycompany,dc=net
  I know that when using a third party ldap provider one can change the searchscope to search nested groups. Is there a way to set this in the standard OID security provider as well?
  I have tried pre-pending the security-role-mapping with the additional group like so:
       <security-role-mapping name="USERS">
            <group name="exchange/mse-se-staff" />
       </security-role-mapping>
  This did not work however. Can I use nested groups with OID? Again this works fine if the user is defined in a group that is part of cn=groups.
  Here are all the important configuration pieces:
  web.xml:
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>access to the application</web-resource-name>
                 <url-pattern>/svc</url-pattern>                               
            </web-resource-collection>
            <!-- authorization to admin urls -->
            <auth-constraint>
                 <role-name>USERS</role-name>
            </auth-constraint>
  </security-constraint>
  orion-application.xml:
       <security-role-mapping name="USERS">
            <group name="mse-se-staff" />
       </security-role-mapping>
       <jazn provider="LDAP" location="*my ldap here*">
       <jazn-web-app auth-method="SSO" jaas-mode="doAsPrivileged" />
  </jazn>
  Thanks,
  Marc

  Could you try settings java.naming.referral jndi env referral and re try.

• LDAP authorization with ADF

  Hi,
  I am in the earlier stage of developing a web application with Jdev 10.3 using ADF BC. I authorize the users against LDAP in my application. I got some help about orion.application.xml file and jazn. But I need some thing more to start up with.
  I was trying the option that is available in jdev under tools->ADF Security wizard. But I am not sure about how to use it. Is there anyone who can help me in this?
  Thanks,
  Haripriya.S

  Hi,
  Thanks for the suggestion and I have put up my question in jdeveloper forum. but I havent got any replies upto now. Let me inform you once I get the answer.

• LDAP Authorization (not authentication)

  Hi everybody,
  There is a Linux server with Oracle 10g and Apex 3.0.1.
  And there is a Microsoft Windows server having an active directory.
  The first step was to authenticate against the AD using the LDAP authentication scheme in shared components. I have entered the necassary information and the authentication is going through successfully.
  My second step is now the authorization of the users, so I can restrict access pages to some users. I have searched the internet and everything I found and tried didn't work. As far as I am aware I have to do the check (e.g. whether the user is a member of the AD) in PLSQL code. I have tried to use: apex_ldap.is_member, and other functions in dbms_ldap. But I can't get any of them to work. In fact when using then in a PLSQL in SQL PLUS there is not even an error given, no messages at all, although I have set serveroutput on.
  So perhaps someone could give me a hint, in what I am doing wrong, or what else I have to keep in mind in order to get it to work (perhaps I have to install something)
  My actual goal is to have a single sign on. That is why I have to authorize the user to restrict some access.
  Every help is highly appreciated.
  Thanks,
  Regards,
  Denise

  Hi John,
  <br><br>
  --AD stores the user/group information in a different way
  <br><br>
  Does that mean that I only have to change see string within the function?
  <br><br>
  htmldb_ldap.is_member<br>
  ('uname',<br>
  'pword',<br>
  'cn=Users,dc=aatestdom,dc=com',<br>
  'AA1MS101',<br>
  '389',<br>
  'APEX_USER',<br>
  'cn=Groups,dc=aatestdom,dc=com')<br>
  <br>
  Or doesn't that have anything to do with it?
  <br><br>
  To my code. I have tried so many things so I think it is of no use to post it here as I have figured out that it is the main thing (see function above) which is not working properly. If I take the main part out the rest of my code will work fine.
  <br><br>
  But could you please explain to me what the following of the dbms_ldap.compare_s function means?:<br>
  attr => <b>'uniquemember'</b><br>
  value => 'cn=test\, <b>greg (etsa)</b>...'<br>
  And what I have to put into it (i think 'test' will be the username)?
  <br><br>
  Regards and thanks for your tips so far,<br>
  Denise

• ASA LDAP authentication trouble

  Hi,
  I have a weird situation when using LDAP (MS AD) to authenticate logon to ASDM.
  I've created the setup and map the ASAAdmin group membership to Privilege level 15. (see lines from config)
  ldap attribute-map ADAuth
    map-name  memberOf Privilege-Level
    map-value memberOf CN=ASAAdmin,CN=Users,DC=chapel,DC=orbdata,DC=com 15
  It works fine when I login. See extract from the debugs:
  [732]   memberOf: value = CN=ASAAdmin,CN=Users,DC=chapel,DC=orbdata,DC=com
  [732]           mapped to Privilege-Level: value = 15
    1     User-Name(1)     11    "zsolt.fejer"
    2     User-Password(2)      8    (hidden)
    3     AAA-AVP-Table(4243)    1993    "[C9][07][00][00],[00][00][00][B8][01][00][00][CF][01]"
    4     Privilege Level(4316)      4    15
    5     Privilege Level(4316)      4    0
    6     Privilege Level(4316)      4    0
    7     Privilege Level(4316)      4    0
    8     Privilege Level(4316)      4    0
    9     Privilege Level(4316)      4    0
  10     Privilege Level(4316)      4    0
  I'm authenticated and can work properly.
  But when I try to login as Administrator (other users have the same issue), I get the message that the Privilege level is only 0 which isn't enough to start ASDM. The Administrator also member of the said group. See the extract from the debug.
  user attributes:
    1     User-Name(1)     13    "administrator"
    2     User-Password(2)      9    (hidden)
    3     AAA-AVP-Table(4243)    1925    "[85][07][00][00])[00][00][00][A0][01][00][00][B7][01]"
    4     Privilege Level(4316)      4    0
    5     Privilege Level(4316)      4    0
    6     Privilege Level(4316)      4    0
    7     Privilege Level(4316)      4    15
    8     Privilege Level(4316)      4    0
    9     Privilege Level(4316)      4    0
  10     Privilege Level(4316)      4    0
  11     Privilege Level(4316)      4    0
  12     Privilege Level(4316)      4    0
  13     Privilege Level(4316)      4    0
  Also when I add myself to another more group I'm locked out of the ASDM.
  Why does it happen? How can I prevent it?
  Thanks!

  Hi Steve,
  The admin user should have full read-only access to query/read the full directory/structure.
  This is what you need to enable password change feature for VPN users on ASA.
  LDAP configuration on ASA
  aaa-server LDAP-AD protocol ldap
  aaa-server LDAP-AD host server-port 636
  ldap-base-dn
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-dn
  ldap-login-password
  ldap-over-ssl enable
  server-type Microsoft
  NOTE: This will only work with secure LDAP TCP 636
  VPN configuration on ASA
  tunnel-group DefaultWEBVPNGroup type remote-access
  tunnel-group DefaultWEBVPNGroup general-attributes
  authentication-server-group LDAP-AD
  default-group-policy DfltGrpPolicy
  password-management password-expire-in-days
  Settings on the LDAP server
  We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.
  HTH
  Regards,
  JK

• LDAP Authorization for OBIEE 10.1.3

  Hello,
  We have setup LDAP authentication (ADSI LDAP) using OBIEE standalone.
  I'm trying to figure out the best way to manage Authorization - user to group assignment in OBIEE.
  Options:
  1. Using external table
  Challange: The client doesn't have other application that manages user to group assignment. If I am using external table authorization, how will they manage changes to user to group or add new user to group?? This will require IT admin to modify table directly in production. They would like to have business super user to handle new user to group assignment.
  2. Import user to LDAP
  This is unfortunately doesn't work with ADSI LDAP. I got error message: This function is not supported for all LDAP type..
  3. I read something about using database DBMS_LDAP package. Basically: Define user to group assignment in LDAP. Define a db function to get db to group assignment. Call this db function in OBIEE.
  I am not sure if this DBMS_LDAP package will work with DB2. Any comments will be helpful.
  4. I thought about using Microsoft Excel to maintain user to group assignment and use the excel connection pool in Authorization init block. However, the OBIEE server is configured in AIX environment, and there is no excel driver for UNIX that's available...
  Has anyone seen this scenario before? Any suggestions will be greatly appreciated..

  When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
  In general, one could follow these articles to achieve AD Authentication:
  [http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
  [http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
  To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
  Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
  In our case, there's an admin who knows what sql is and how to work with it.
  Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

• Asa cmd authorization using acs

  Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
  aaa-server aaa_serv protocol tacacs+
  aaa-server aaa_serv host 10.0.0.10
  key cisco123
  aaa authentication serial console tac_serv
  aaa authentication telnet console tac_serv
  aaa authentication enable console tac_serv
  aaa authorization command tac_serv
  i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

  ASA does not have any authorization exec command so Priv Level does not work with ASA.
  Max privilege(enable attrib. in ACS)works with ASA.
  But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
  2 main commands required for command authorization are
  aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
  aaa authorization command tac_serv

• LDAP Authorization

  I am able to authenticate users via the built in LDAP authentication scheme to Active Directory. OS_USER JDOE logs in and is authenticated.
  I am now having issues trying to authorize specific users to this application.
  So far i created a user table with os_user format of JDOE. And my authorization scheme does a where exists sql query. When I apply this authorization scheme to a region it disables the user that should be givin authorization.
  My where exists sql query
  SELECT 1 FROM user_security
  WHERE os_user = :APP_USER
  Thanks

  Setting the authorization scheme to be evaluated "Once per page view" would be prudent, although if it isn't evaluated during the session before the report region is rendered, that shouldn't be a factor. But it could be that you are using a session in which the scheme has already been evaluated and returned false. Once that happens, it's false for the rest of the session, assuming it was set to "Once per session". This attribute is under Evaluation Point on the authorization scheme page.
  Scott

• LDAP authorization and AD

  HI!
  I am trying to authorize a user wit Active Directory via LDAP, the user logs in as user1 but if I use the uid as principal it doesn't work, I need to specify
  principal = "CN=Name Surname(user1),OU=Users ..." -> works
  principal = "CN=user1,OU=Users ..." -> does not work
  Any help?
  Thanks,
  Iggy

  If that's the way your LDAP is organized that's the only path that's going to work. If you want to find users etc. by some other property you'll need to use a the search function. Each context in the tree has a unique name.

• ASA and Multiple AD Domains

  Hello,
  I am having difficulties with configuring my ASA5510 to authenticate against two different Active Directory domains with LDAP for a Remote Access VPN. From what I can see, the authentication process goes as far as checking the first server, seeing that the user doesn't belong to that domain and then it bombs out.
  I read some technote which specified that if the DC was set up as a Global Catalog that this would be a non-issue - sadly, this doesn't appear to be the case.
  Can anyone shed any light on this?
  Thanks
  Keith

  Hi Keith
  First of all the behavior you describe is correct and expected. If you configure 2 aaa servers (regardless of whether it's radius, ldap, etc.) then the ASA will consider them as having identical user DB's, and so will only use the 2nd when the 1st is unreachable.
  So the solution would indeed consist of having a global catalog server (GCS) that can search both domains, and point the ASA to that server (or set of servers). The downside is that the global catalog server may not have information  about local groups which may be needed for authorization and or DAP.
  Having said that, there may be an alternative if you are using (or willing to change to) double authentication (i.e. certificate based authentication + username/password) or if you are ok to use certificate based authentication with LDAP authorization (i.e. only the cert is used to log in, the ldap attributes are only used to override settings in the group-policy).
  In that case you can use tunnel group mapping (i.e. have certificates from one domain land on a certain group, and another domain on another group). Since each group has its own aaa-server config, you can point them to different ldap servers.
  hth
  Herbert

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.