Active Directory/LDAP for VPN Authentication

Below is a short sequence describing the steps an ASA takes when authenticating VPN users.

  1. First, the user initiates a connection to the ASA.
  2. The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server.
  3. The ASA connects to the LDAP server with the credentials configured on the ASA (ASAusername in this case), and looks up the user provided username. The ASAusername user must have the appropriate credentials to list contents within Active Directory.
  4. If the username is found, the ASA attempts to bind to the LDAP server with the credentials that the user provided at login.
  5. If the second bind is successful, authentication succeeds and the the ASA processes the attributes of the user.

For step two, we need to configure the username which the ASA will authenticate to the Microsoft Active Directory/LDAP server.

ASA Configuration

In global configuration mode:

ldap attribute-map AD-VPN-GROUP
map-name memberOf IETF-Radius-Class*
map-value memberOf “CN=example-group-containing-the-ldap-login-dn username,OU=Security Groups, ” VPNName

aaa-server example protocol ldap
aaa-server example (Inside) host 172.16.0.1
ldap-base-dn dc=example,dc=com,dc=au
ldap-scope subtree
ldap-naming-attribute SAMAccountName
 ldap-login-password *****
 ldap-login-dn ASAusername@example.com.au
ldap-attribute-map AD-VPN-GROUP

*IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)—Sets the group policy based on
the directory department or user group (for example, Microsoft Active Directory memberOf)
attribute value. The group policy attribute replaced the IETF-Radius-Class attribute with ASDM
version 6.2/ASA version 8.2 or later.

Finally, to apply it to the VPN:

tunnel-group example
tunnel-group example general-attributes
authorization-server-group AD-VPN-GROUP

Confirming Changes

You can use ‘debug ldap 0-255′ to output the information the ASA sends/receives followed by issuing the test aaa-server command.

Output from ‘debug ldap’ with everything working

HomeASA# test aaa-server authentication example host 172.16.0.1 username ASAusername password LDAPpassword
INFO: Attempting Authentication test to IP address <172.16.19.1> (timeout: 12 seconds)
INFO: Authentication Successful

Lets take a more detailed look by using debug ldap 255.

INFO: Attempting Authentication test to IP address <172.16.0.1> (timeout: 12 seconds)

[9228] Session Start
[9228] New request Session, context 0xcb3fe840, reqType = Authentication
[9228] Fiber started
[9228] Creating LDAP context with uri=ldap://172.16.0.1:389
[9228] Connect to LDAP server: ldap://172.16.0.1:389, status = Successful
[9228] supportedLDAPVersion: value = 3
[9228] supportedLDAPVersion: value = 2
[9228] Binding as ASAusername@example.com.au
[9228] Performing Simple authentication for exampleusername@example.com.au to 172.16.19.1
[9228] LDAP Search:
Base DN = [dc=example,dc=com,dc=au] Filter = [SAMAccountName=exampleusername] Scope = [SUBTREE] [9228] User DN = [CN=Active Directory User Group,CN=Users,DC=example,DC=com,DC=au] [9228] Talking to Active Directory server 172.16.0.1
[9228] Reading password policy for ASAusername, dn:CN=Active Directory User Group,CN=Users,DC=example,DC=com,DC=au
[9228] Read bad password count 0
[9228] Binding as ASAusername
[9228] Performing Simple authentication for ASAusername to 172.16.0.1
[9228] Processing LDAP response for user ASAusername
[9228] Message (exampleusername):
[9228] Authentication successful for ASAusername to 172.16.0.1
[9228] Retrieved User Attributes:
[9228] objectClass: value = top
[9228] objectClass: value = person
[9228] objectClass: value = organizationalPerson
[9228] objectClass: value = user
[9228] cn: value = Active Directory User Group
[9228] distinguishedName: value = CN=Active Directory User Group,CN=Users,DC=example,DC=com,DC=au
[9228] instanceType: value = 4
[9228] whenCreated: value = 20141023031250.0Z
[9228] whenChanged: value = 20141030214258.0Z
[9228] displayName: value = Active Directory User Group
[9228] uSNCreated: value = 6548494
[9228] uSNChanged: value = 6621658
[9228] name: value = Active Directory User Group
[9228] objectGUID: value = …..ZvK……t.
[9228] userAccountControl: value = 66048
[9228] badPwdCount: value = 0
[9228] codePage: value = 0
[9228] countryCode: value = 0
[9228] badPasswordTime: value = 0
[9228] lastLogoff: value = 0
[9228] lastLogon: value = 0
[9228] pwdLastSet: value = 130591229034905000
[9228] primaryGroupID: value = 513
[9228] objectSid: value = …………”~G.A…..)_….
[9228] accountExpires: value = 9223372036854775807
[9228] logonCount: value = 0
[9228] sAMAccountName: value = ASAusername
[9228] sAMAccountType: value = 805306368
[9228] userPrincipalName: value = ASAusername@example.com.au
[9228] lockoutTime: value = 0
[9228] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com,DC=au
[9228] dSCorePropagationData: value = 16010101000000.0Z
[9228] lastLogonTimestamp: value = 130591789638914025
[9228] Fiber exit Tx=589 bytes Rx=2686 bytes, status=1
[9228] Session End
INFO: Authentication Successful

Issues that can arise

If the the ldap-login-dn did not include the base-dn FQDN, the authentication will fail and error the following:

Without debug ldap 255
HomeASA(config-aaa-server-host)# test aaa-server authentication example host 172.16.0.1 username ASAusername password ******
INFO: Attempting Authentication test to IP address <172.16.0.1> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed

The above is the most ambiguous error message known to man. This will occur if the ASAusername doesn’t have the @example.com.au on the end for our ldap-login-dn.

With debug ldap 255

HomeASA(config)# test aaa-server authentication example host 172.16.0.1 username ASAusername password ******
INFO: Attempting Authentication test to IP address <172.16.0.1> (timeout: 12 seconds)

[9109] Session Start
[9109] New request Session, context 0xcb3fe840, reqType = Authentication
[9109] Fiber started
[9109] Creating LDAP context with uri=ldap://172.16.0.1:389
[9109] Connect to LDAP server: ldap://172.16.0.1:389, status = Successful
[9109] supportedLDAPVersion: value = 3
[9109] supportedLDAPVersion: value = 2
[9109] LDAP server 172.16.0.1 is Active directory
[9109] Binding as ASAusername
[9109] Performing Simple authentication for ASAusername to 172.16.0.1
[9109] Simple authentication for ASAusername returned code (49) Invalid credentials
[9109] Failed to bind as administrator returned code (-1) Can’t contact LDAP server
[9109] Fiber exit Tx=176 bytes Rx=662 bytes, status=-2
[9109] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Further reading:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Click to access aaa_ldap.pdf

About The Author

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. He has a passion for networking and cyber security. When he's not working, he's obsessing over German Shepherd Dogs.

Related Posts

CCNA Security – 640-554 Study Notes

Cisco 200-101 Notes – 2014

ASA FQDN access lists 

IPv6