VPN with RSA and LDAP Groups

I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
Thanks for any help.

yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
Please configure LDAP as an authorization server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Do let me know how it goes.
~BR
Jatin Katyal
**Do rate helpful posts**

Similar Messages

  • Problem with ADS and LDAP

    Problem with ADS and LDAP
    I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
    After connection via LDAP I cann't get any object ( users or goups etc. ).
    I try connect to ADS by java ( JNDI ).
    When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
    the same problem - no objects.
    Can anybody help me?
    Grzegorz Pszona
    my e-mail: [email protected]

    Thanks a lot.
    Softerra's browser is really good.
    Thanks
    Rashmi
    "Anant Kadiyala" <[email protected]> wrote:
    >
    I used Softerra's LDAP browser. The browser is free. There is also a
    java baded
    LDAP browser from Univ of Michigan. I found the Softerra browser to be
    more easier
    to use.
    -anant
    "rashmi" <[email protected]> wrote:
    Hi,
    Can you please let me know which exact ADS tool that you used to examine
    the
    DN. I have Active Directory Users and Computers, Sites and Servicesand
    Domain
    and Trusts installed on my machine but I am not able to figure out how
    to get
    the DN?
    Thanks
    Rashmi
    for Stephen Davies <[email protected]> wrote:
    Grzegorz,
    I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
    a
    fair bit of messing around to get it going. MS does have a few oddities,
    for example the Administrators DN might look something like this:
    cn=Administrator,cn=Users,dc=eglobal,dc=net
    One tool that I found invaluable came with the additional support tools
    for Windows 2000. The 'Active Directory Administration Tool' made it
    easy to list the directory contents and examine the DNs.
    Regards,
    Steve
    Stephen Davies
    Principal Consultant
    eGlobal Services Pty. Ltd.
    Sydney, Australia
    Ph. +61 2 9283 1033
    http://www.eglobal.net/

  • VPN Login first with RSA and then AD?

    I've run in to a situation I hadn't considered when we stood up our RSA 2-factor authentication for VPN. We use AnyConnect clients to hit our Cisco VPN concentrators which then passes off authentication responsibilities to ISE and ISE knows which Identity Store to use based on where the authentication request is coming from and what group(s) a person belongs to.   
    We now have a service provider that that will reach right in to a product they manage for us when we call and say there is a problem. However, the tech/engineer assigned to the issue could be one of many from their pool of available resources. The service provider only wants 1 token which will be "locked up" and the PIN "locked up" separately as well so when we report a problem they can connect and resolve it.
    I won't issue a single token to them because they are associated with AD accounts but I could create a generic account local to RSA they could authenticate against if they could then auth with their AD creds before connecting.
    So my question is has anyone done this? Is it possible to have AnyConnect ask for SecurID authentication and then come back with a prompt for AD authentication?
    Thanks

    Hi Darren,
    should be no problem, using double authentication:
    aaa-server myLDAP protocol ldap
    aaa-server myRSA protocol sdi
    tunnel-group foo general-attributes
    authentication-server-group myRSA
    secondary-authentication-server-group myLDAP [use-primary-username]
    This will prompt for 2 usernames & 2 passwords, unless you add "use-primary-username" but I guess in your case you do need 2 different usernames.
    hth
    Herbert

  • WLC and LDAP Groups

    Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication.  I have this url that explains local authentication and LDAP...  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml .  That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC.  Any ideas?

    You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
    If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
    The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.

  • DataLoad into Write-optimized DSO with DTP and semantic groups

    hi gurus,
    i'm going crazy with my current problem.
    i searched in the other posts of this topic, but i did not found a solution.
    here my situation:
    i created a w-o-DSO with semantic key (0ucinstalla, 0calmonth, zbelnum, 0unit) and three key figures.
    now i'm loading from several cubes data into the DSO. (i need the historical data)
    in every transformation, i implemented an expertroutine which collects the data into the result_package.
    in the routine, i even clear the record number before collecting the result_rows.
    in the DTPs, i'm using a semantic group for 0ucinstalla in order to select all rows for one 0ucinstalla into one data-package.
    each DTP has to run one time in full mode.
    but when i schedule the third DTP, i get the message: "duplicate record"
    i checked the active data in dso. there was no record with that semantic key.
    i found a record with the same 0ucinstalle for a diferent month - in my opinion, thats no duplicate record...
    is there a dependence between semantic key in DSO and semantic group in DTP?
    how can i solve this error?
    regards,
    philipp

    Hi,
    thx for your fast replies!!
    @ Passing by:
    I know the option "Do not check uniqueness of data".
    At DSO do not arrive any duplicates and i would like to use the check of uniqueness in future, if there really arrive duplicate records.
    @ Durgesh Gandewar: thx for the hint, but i also checked this website...
    Regards,
    Philipp

  • No luck with RSA and existing cert

    I want to encrypt data in my software, data which will be sent to me by the user, in such a way that only I can decrypt it. This seems to call for asymmetric encryption (only the public key would be embedded in the software), so I am trying to use RSA.
    Specifically I am trying to encrypt and decrypt data using the key pairs found in a cert that we bought from a cert authority. The cert says that key is a "Sun RSA public key, 1024 bits". In the following test, I encrypt using the cert's public key and decrypt using the same, for want of a method to return the private key but the results are the same if I initialize the cipher for decryption with the cert itself (which presumably contains the private key).
            Key key = cert.getPublicKey();
            Cipher cipher = Cipher.getInstance("RSA");
            cipher.init(Cipher.ENCRYPT_MODE, key);
            byte[] enc = cipher.doFinal(test.getBytes());
            cipher.init(Cipher.DECRYPT_MODE, key);
            byte[] dec = cipher.doFinal(enc);but at the decyrption stage I get the following error:
    Exception in thread "main" javax.crypto.BadPaddingException: Data must start with zero.which I don't know what to make of. It seems to me that I am following the (rather scant) instructions to the letter. If I specify "RSA/ECB/NoPadding" as the transformation I don't get the above error but the roundtrip fails to recreate the original string.
    Furthermore, as I said before, I wanted to use public key encryption because I must include the encryption key in the software and I do not want it to be sufficient to decrypt the cipher. I was hoping that with RSA you'd encrypt using the public key but that you'd need either the secret key or the whole cert to decrypt. However the Javadocs do not say so explicitely and I am left unsure as to how this works exactly. Can anyone shed some light?

    I agree, the documentation is inadequate. Have you also looked at the JCE reference (http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html)? This expands a lot on the javadocs for the classes. It might also help to learn more about cryptography; one book that others recommend is "Practical Cryptography" by Ferguson and Schneier.
    I think the one key misunderstanding you have is what is in a certificate. A certificate contains only the public key, some information about the identity of the owner of the private key, and a digital signature over this public key and identifying information. The private key is not in the certificate! Nor should it be. If it were, it would no longer be private and the security of the system would fall apart.
    The location of the private key depends entirely on the application that created the key pair. java's keytool, for example, stores the private key in a password protected file.
    The error you are seeing makes sense once you understand that , for an RSA cipher, the type of key, public or private, as well as the mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE, determine the interpretation of the subsequent update or doFinal method calls.
    Thus in your example, your first call to cipher.doFinal gives the RSA encryption of the data, which is what you wanted. Your second, however, attempts to decrypt this encrypted data with the public key, which makes no sense in this context. It checks to see if the result is has the proper padding, which it does not. If you tell it to assume no padding, you won't get an exception but the result still won't make any sense. You need to init the cipher with the private key for the second part.

  • Adding phones and users with bat and LDAP sync

    What are the various ways of importing users with phones when the Communications Manager 9.0 is sync'd with LDAP.  Also, what method is the easiest and fastest?
    For example, I could do the following steps:
    Sync CUCM with LDAP to import new users, add phones using bat files, manually update users to associate devices etc
    I believe I should also be able to do the above method and use a bat file to update the users to associate devices etc.  This method still involves 2 steps and the creation of 2 seperate bat files.
    In CUCM version 9 it is possible to have local and LDAP users, so is it possible to add the phones and users using the phones/users tab of the bat file and have them beocme LDAP users?
    Thank you,
    Danny

    #1 Remove this embedded CSS code from your HTML document(s).  You don't need it.
    body {
        background-color: #CCC;
    body,td,th {
        color: #FFF;
        font-size: 14px;
    #2 Open  PW.css file and add this to the top:
    body {
    font-family: Arial, Helvetica, sans-serif;
    font-size: 14px;
    background-color: #CADFEB;
    /**or insert a background-image using the CSS editor**/
    #3 Remove font-family and font-size from all your other CSS selectors.  You don't need to duplicate styles on every element. 
    #4 Replace this:
    #content {
        position:absolute;
        left:199px;
        top:10px;
        width:860px;
        z-index:1;
        right: auto;
        background-color: #FFF;
        text-align: center;
        color: #000;
        height: auto;
    with this:
    #content {
         width:860px;
         margin: 20px auto;
         border: 4px solid silver;
         background-color: #FFF;
         text-align: center;
         color: #000;
         -moz-box-shadow: 5px 5px 5px #888;
         -webkit-box-shadow: 5px 5px 5px #888;
         box-shadow: 5px 5px 5px #888;
    #5 Save your PW.css file and upload to server.
    Nancy O.
    Alt-Web Design & Publishing
    Web | Graphics | Print | Media  Specialists 
    http://alt-web.com/
    http://twitter.com/altweb

  • Problem with Afaria and LDAP user authentication in Android device

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

  • Issue with NSCD and LDAP

    Hi folks,
    I have a working LDAP configuration on my Arch system as a client after following these directions.
    https://wiki.archlinux.org/index.php/LD … ient_Setup
    Generally speaking, everything works. However, I've noticed that if my system is idle for a while (say, overnight) I am unable to connect to the LDAP server for authentication unless I restart nslcd. I'm guessing it's something with my network. As a stop-gap solution, I tried enabling NSCD (as suggested by the Wiki page above) to do caching so I could still log in even if I cannot access the LDAP server.
    NSCD starts; however, I seem to be getting several errors on startup
    # systemctl status nscd
    cannot stat() file `/etc/netgroup': No such file or directory
    cannot create /var/db/nscd/passwd; no persistent database used
    cannot create /var/db/nscd/group; no persistent database used
    cannot create /var/db/nscd/hosts; no persistent database used
    cannot create /var/db/nscd/services; no persistent database used
    cannot create /var/db/nscd/netgroup; no persistent database used
    For the first error, it sounds like I need to add a netgroup file (I'll look that up). For the others, my *guess* is that it's a permission issue with nscd running as a user  without permission to write to /var/db; however, I checked my nscd.conf file (unmodified) and there's no server-user directive--according to the man page, this means the server should be running as root.
    Google searches for these errors turned up very old bugs; wondering if anyone else has run into this and if I've missed something in configuring nscd. The Wiki doesn't seem to have an entry for it that I was able turn up via the search.
    Thanks,
    Brian

    I have been considering using nscd in this way but haven't had time to test it.  The part that is confusing me is how a ldap user would be able to login at all if the server is not available:
    man 8 nscd wrote:
    Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
    There  are two caches for each database: a positive one for items found, and a negative one for items not found.  Each cache has a separate TTL (time-to-live) period for its data.
    Note that the shadow file is specifically not cached.  getspnam(3) calls remain uncached as a result.
    I don't see how a user could login without their password being cached locally, which it isn't by design.  So, they can't authenticate.

  • Mac Lion can't connect to Cisco VPN with RSA authentication

    Hello,
    We have a problem with a manager who has upgrades his Mac to the latest Lion OS (64 bit), before uograding he could connect without any problem with his mac to our network and work on the terminal server. Since the upgrade he's not able to get it working in 64 bit (normal) mode.
    This our setup
    Cisco  PIX 515
    RSA Cisco Pix security Apliance.
    Does anybody have any advice to get this setup working.
    regards

    Hi Raymond,
    We have encounter the same issue with one of our sales director, the upgrade to MAC OS-X Lion breaks the VPN IPsec connexion. We have tryed various type of tunning with no sucess.
    Finally, as wordaround, we have installed the AnyConnect client and it works fine now.
    Vincent

  • L2L VPN with source and destination NAT

    Hello,
    i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
    The diagram is
    Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
    The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
    The Customer connects the following way
    Source: 198.1.1.1
    Destination: 192.168.1.1
    It gets to the outside ASA interface which should translate the packets to:
    Source: 10.110.110.1
    Destination: 10.120.110.1
    On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
    I did the following configuration which I am not able to test but tomorrow during the migration
    object network obj-198.1.1.1
    host 198.1.1.1
    object network obj-198.1.1.1
    nat (outside,inside) dynamic 10.110.110.1
    For the inside to outside NAT depending on the destination:
    object network Real-IP
      host 10.120.110.1
    object-group network PE-VPN-src
    network-object host 198.1.1.1
    object network Destination-NAT
    host 192.168.1.1
    nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
    Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
    object network obj-192.168.1.1
    host 192.168.1.1
    object network obj-192.168.1.1
    nat (outside,inside) dynamic 10.120.110.1

    Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
    object network obj-10.10.10.243
      host 10.10.10.243
    object network obj-77.x.x.24
      host 77.x.x.24
    object network obj-10.10.10.251
      host 10.10.10.251
    object network obj-pcA
      host 86.x.x.253
    nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
    Hope that helps.

  • Trouble with ACIs and dynamic groups

    Hi!
    Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
    Example:
    A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
    The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
    If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
    BUT
    A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
    The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
    If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
    Has anyone any suggestions?

    Hi!
    Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
    Example:
    A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
    The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
    If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
    BUT
    A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
    The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
    If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
    Has anyone any suggestions?

  • Site to Site VPN with rsa-sig

    Hello
    I can't understand why do I have to attach the trustpoint to the crypto map - like this
    ASA(config)# crypto map <MAP> <10> set trustpoint <CA>
    I mean on IOS it works fine without this configuration - so if this is a security issue, then we should NOT use the rsa signature authentication on IOS. If it secure without this command, then why it is here and why do i have to use it (without it I was not able to establish IPsec tunnel between 2 ASAs).
    So what this command does und why do we need it only on ASA?
    Thanks

    Dmytro,
    To begin with, the ASA and the Router are two different devices, so you cannot expect the same behavior from both.
    On the other hand, please check this out:
    crypto map set trustpoint
    To specify the trustpoint that identifies the certificate to send for authentication during Phase 1 negotiations for the crypto map entry, use the crypto map set trustpoint command in global configuration mode.
    This crypto map command is valid only for initiating a connection..
    So it has be in your configuration
    HTH.
    Portu.

  • VPN with Mac and PC

    Hello,
    i have a problem with my VPN (L2TP-IPsec) . I´m using my Airport Extreme as a router. Behind the router works my VPN-server (OS X 10.5.4). When I am trying to connect to my VPN from outside with my MacBook everything works fine. But when I am trying to connect from a PC (Vista or XP) I am not able to log in. All I get is ERROR 809 (The remote computer did not answer...). I think that it must be a problem with the Airport Extreme, but IP-forwarding is like it has to be.
    Has anyone a good idea?
    Greetings from Germany
    Rolf

    You are not doing anything wrong - had the same problem yesterday. The issue is a NAT traversal bug in Windows XP-SP2 and Vista
    For info on the problem and the registry fix !!! needed to get this to work, see the following:
    http://support.microsoft.com/kb/885407
    I have not had time to do this yet, as I am setting up a remote computer for a client that I can't access all the time.
    While I was googling I also discovered that VPN L2TP with IPSec takes 100 mouse clicks in XP, only 23 in Vista, and only 8 or so in Leopard - you have to laugh.

  • Setting up a PIX-PIX VPN with Dynamic and Static IP's

    Hey everyone..
    I'm recently working to deploy two PIx-506E devices at a remote site and at my home.
    I want to be able to connect these together and eventually create a spoke and hub method of deployment to keep several of the places I manage separate but accessible.
    The only problem is almost every example I've seem has two static WAN IP's. I cannot have a static WAN at my home, but it will be available for every remote.
    How could I go about this? Any articles you can shoot my way and modify so it would work will help me.
    Thank you.
    Michael Jankowski
    Computer Systems Consultant

    Hi
    In addition to what has been said.
    If you are looking to set up site to site VPN's and you don't have a static IP at youe home you can use dynamic crypto maps which allow you to use dynamic ip addressing. You can mix and match so you can use a fixed ip for your remote site and a dynamic ip at home. Attached is a link which explains dynamic crypto maps
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
    HTH

Maybe you are looking for

  • Match downpayment request with payments through F-53

    Hello, Our client makes downpayment request in F-47 and then makes payment (invoice-based) through F-53 or F110. How can we match the downpayment request with the payment made if it is not through F-48? Thanks in advance....

  • Newbie-Size of video for export

    I'm trying to finish my video.  The problem is that after I exported it and made it into a video, the final product is too small.  I was wondering if there are any settings to change the output size of my video so that people can see the details of t

  • N97 GPS cannot get a fix..

    My N97 gps is having difficulty getting a fix on my position. i was side by side with my fiance E71, and hers gets  a fix in less than 20 secs. Whereas my N97 takes a long time, and after that, It just say unable to get a fix on the locatin, GPS work

  • Weblogic and RPAS Fusion Client -- ..DeployerException: '127.0.0.1' is not

    Hello all, I'm trying to install 'RPAS Fusion client' but I'm having some problems with weblogic 10.3.2. Here some details: - windows xp - my laptop (Dell E6400) - weblogic server 10.3.2 (11g) - Oracle application developer (required by Fusion client

  • Cannot install office 2008 on new Macbook pro.

    I have just received my new macbook pro 17 inch. I"ve installed the bundled apps cd, but when I try to install Mac Office 2008, I receive the following error: Microsoft office for Mac can't be installed on this disk. newer-version-installed message.