RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

Similar Messages

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

ASA Remote Access Authentication with LDAP Server

Thank you in advance for your help.
I am configuring an ASA to authenticate with a ldap server for ipsec vpn access. My customer has 3 networks that are to be accessed by remote users. However they want to be able to say that one user can get to 2 of the networks and not the 3rd. So basically they want control over what network behind the firewall each user can access. This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication. Basically a ldap group on the ldap server that will have the users name in the group in order for access. I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network. Here is the problem I am having now.
The ldap server has been created and seems to be working fine. I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server. When I run the authentication test from the ADSM or command line I get a good authentication successful message. So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name. Below is a paste of the debug. The second part is when I did a successful test from the ASDM or CLI and it worked great. The first part is when I attempted from the vpn client. It all looks the same from the search criteria. What am I missing here or does anyone more knowledgeable see anything that I am doing wrong. Can this be done this way or should I try radius. The customer was just adament about using ldap.
extvpnasa5510#
[243] Session Start
[243] New request Session, context 0xd5713fe0, reqType = 1
[243] Fiber started
[243] Creating LDAP context with uri=ldaps://130.18.22.44:636
[243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[243] supportedLDAPVersion: value = 2
[243] supportedLDAPVersion: value = 3
[243] No Login DN configured for server 130.18.22.44
[243] Binding as administrator
[243] Performing Simple authentication for to 130.18.22.44
[243] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[243] User DN = [uid=vpntest,ou=employees,o=msues]
[243] Talking to iPlanet server 130.18.22.44
[243] No results returned for iPlanet global password policy
[243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
[243] Session End
extvpnasa5510#
[244] Session Start
[244] New request Session, context 0xd5713fe0, reqType = 1
[244] Fiber started
[244] Creating LDAP context with uri=ldaps://130.18.22.44:636
[244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[244] supportedLDAPVersion: value = 2
[244] supportedLDAPVersion: value = 3
[244] No Login DN configured for server 130.18.22.44
[244] Binding as administrator
[244] Performing Simple authentication for to 130.18.22.44
[244] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[244] User DN = [uid=vpntest,ou=employees,o=msues]
[244] Talking to iPlanet server 130.18.22.44
[244] Binding as user
[244] Performing Simple authentication for vpntest to 130.18.22.44
[244] Processing LDAP response for user vpntest
[244] Authentication successful for vpntest to 130.18.22.44
[244] Retrieved User Attributes:
[244]   sn: value = test user
[244]   givenName: value = vpn
[244]   uid: value = vpntest
[244]   cn: value = vpn test user
[244]   objectClass: value = top
[244]   objectClass: value = person
[244]   objectClass: value = organizationalPerson
[244]   objectClass: value = inetOrgPerson
[244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
[244] Session End

Hi Larry,
You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know if further assistance is required!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards,

External Authentication with LDAP

Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

Select list populated with ldap group membership attributes

Is it possible to query an LDAP group and retrieve all the members of the group?
For example, if I have an LDAP group with members' login name, I want to retrieve all login names and populate a select list so the end-user can choose a login name from the group.
Thanks, alan.

The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
Adjust your query.

Authenticating with LDAP

I am setting up a Solaris computer to authenticate with a LDAP DS on Red Hat (RHDS7.1). I have gotten to the point where I can type getent passwd and get the list of users, but I can't log into them. I got a bunch of information below. If you need more information, just ask
# getent passwd
sdoo:x:1700:500:sdoo:/home/sdoo:/bin/bash
test9991:x:9991:102:test9991:/var/tmp:/bin/sh
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
# getent passwd sdoo
sdoo:x:1700:500:sdoo:/home/sdoo:/bin/bash
# su sdoo
bash-3.00$ su sdoo
Password:
su: Sorry
bash-3.00$ cat /etc/pam.conf
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth sufficient pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
bash-3.00$ cat /etc/nsswitch.conf
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: ldap files
group: ldap files
shadow: ldap files
hosts: files
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: ldap files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
bash-3.00$
bash-3.00$
bash-3.00$
============I extracted these users from the LDAP server to show the parameters
# entry-id: 103
dn: uid=sdoo,ou=People, dc=rocaf,dc=aads
modifyTimestamp: 20070725171346Z
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowaccount
objectClass: account
gecos: sdoo
gidNumber: 500
givenName: scooby
sn: doo
loginShell: /bin/bash
uidNumber: 1700
uid: sdoo
cn: scooby doo
homeDirectory: /home/sdoo
userPassword: {SSHA}JMrO4wSMo2l2JKLQyhiaaYSfiJ6WIPy6QKn+uQ==
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
createTimestamp: 20070725155427Z
nsUniqueId: 39fc2101-1dd211b2-80e7c451-f2770000
# entry-id: 81
dn: cn=proxyagent,ou=profile,dc=rocaf,dc=aads
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {SSHA}vAaM167uHBY9671CwK5Tgs4ijjI74HtwPvzv1Q==
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20070717125656Z
modifyTimestamp: 20070717125656Z
nsUniqueId: 2e747e93-1dd211b2-8087c451-f2770000
# entry-id: 92
dn: cn=default, ou=profile, dc=rocaf, dc=aads
modifyTimestamp: 20070725163437Z
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
objectClass: top
objectClass: DUAConfigProfile
profileTTL: 43200
bindTimeLimit: 10
credentialLevel: proxy
searchTimeLimit: 30
defaultSearchScope: one
defaultSearchBase: dc=rocaf,dc=aads
cn: default
authenticationMethod: tls:simple
defaultServerList: 172.20.12.61
creatorsName: cn=directory manager
createTimestamp: 20070723174648Z
nsUniqueId: 9f73d482-1dd111b2-8067c451-f2770000

Which type of authentican method are you using? None, Simple or SASL? I had a lot of problems, similar to yours, where I was able to "READ" the LDAP DB but unable to authenticate (telnet, ssh etc). The solution was to put the client to use SIMPLE as authentication method.

Associating roles with LDAP Groups

I see in a number of places where I can define roles using a "principal-name".
Can I use a realm group here as well as a single user? What I'm looking for is
a method where I can set up my roles in my web appps and ejbs and then on the
fly grant users rights by adding them to a group. Certainly seems possible but
I must be missing something.
Consider the following example (from the weblogic documentation) and let me know
if I can use realm groups for the section attributed to the weblogic.xml file.
(I marked it with ***).
<security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
<description> Security constraint for resources in the orders/east directory </description>
<url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method>
</web-resource-collection> <auth-constraint> <description>constraint for east
coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
</auth-constraint> <user-data-constraint> <description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
<security-role> <description>managers</description> <role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
<principal-name>jane</principal-name> <principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
<role-name> manager </role-name> <principal-name>peter</principal-name> <principal-name>georgia</principal-name></security-role-assignment>

See my answer to your question:
Simple (dumb) role/group question
Yong
"Ilango Maragathavannan" <[email protected]> wrote:
>
I see in a number of places where I can define roles using a "principal-name".
Can I use a realm group here as well as a single user? What I'm looking
for is
a method where I can set up my roles in my web appps and ejbs and then
on the
fly grant users rights by adding them to a group. Certainly seems possible
but
I must be missing something.
Consider the following example (from the weblogic documentation) and
let me know
if I can use realm groups for the section attributed to the weblogic.xml
file.
(I marked it with ***).
<security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
<description> Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection> <auth-constraint> <description>constraint
for east
coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
</auth-constraint> <user-data-constraint> <description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee> </user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
<security-role> <description>managers</description> <role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
<principal-name>jane</principal-name> <principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
<role-name> manager </role-name> <principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment>

Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

Hey,
We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
Using a DN without spaces (such as "UCSAdmins"), works just fine.
I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
Is there a workaround available which can make it possible using a group which has a space in it's name?
Thanks,
Dor

Hey Roman,
Thanks for your prompt reply.
We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
Thanks again,
Dor

NAC integration with LDAP

Is possible this integration?. The idea is that the agent will do authentication with LDAP directly

Hi Anoop,
To adapt an SAP Workflow, you can create a configuration. In this configuration you can redefine values for steps of the workflow definition. These values are evaluated at runtime instead of the values originally defined.
You can configure the following step types:
Activity
User decision
Document from template
Wait
Moreover,Features
You can set the following data individually in the step definition of the configurable step types:
1)Responsible agents
2)Excluded agents
3)Message recipient for completion
4)Priority
5)Requested start
6)Indicator denoting whether the step is included in the    workflow log
7)Activation of a latest end, a latest start, or a requested end with the reaction Send mail
This URL privides info about various workflow codes http://help.sap.com/erp2005_ehp_02/helpdata/en/9b/572614f6ca11d1952e0000e82dec10/content.htm
Regds,
Krutarth
·        Reference date/time for latest end, latest start, and requested end
·        Message recipient for missed deadline
·        Information about the work item display

Authentication ACS LDAP PEAP ?

Hello
Could you tell me if its possible to do 802.1X authentication with LDAP server using PEAP MS-CHAP v2 (Machine autentication) ?
in fact, with Windows external database, its work fine.
We use only machine authentication with vlan assignement over PEAP.
Another think, we wan't to use Mac authentication Bypass for printers or other laptop... but we wonder if it could be work with an external Windows database or LDAP ?
Thanks for your help

No this isnt possible as LDAP servers do not support MSCHAP v1 or v2.
You'd need something that can carry a plain text password inside the EAP tunnel - like EAP-GTC

VPN with RSA and LDAP Groups

I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
Thanks for any help.

yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
Please configure LDAP as an authorization server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Do let me know how it goes.
~BR
Jatin Katyal
**Do rate helpful posts**

Problem with LDAP authentication for users in a group

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

ASA VPN with LDAP authentication

We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?

Hi,
I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
Here is con fig example you may try:
Configuration for restricting access to a particular windows group on AD/LDAP
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy internal
group-policy attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
tunnel-group type remote-access
tunnel-group general-attributes
authentication-server-group LDAP-AD
default-group-policy noaccess
HTH
JK
-Plz rate helpful posts-

Issue with LDAP login authentication in CMC console

We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
Any ideas are much appreciated
Thankyou

The CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
Regards,
Tim

ISE Authentication Policy for RSA Securid and LDAP for VPN

We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
Joe

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

RSA authentication with LDAP group mapping

Similar Messages

Maybe you are looking for