Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/wp-file-upload/wordpress_file_upload.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/wp-file-upload/wordpress_file_upload.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 179

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 180

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 181

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 182

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 183

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 184

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 185

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 186
ASA and LDAP` ` BOOKMOBIEm07;MOBI+(p @EXTHxdColliniASA ,Network Managementg

I seem to be working on a lot of ASA's and Sourcefire lately and I always end up connecting to AD for authentication of some sort. I thought I should document what I do and …

j'Thu, 08 Dec 2016 12:29:09 +0000p$http://packetpros.com/?p=628ePacketprosf Copyright packetpros.comASA and LDAP

I seem to be working on a lot of ASA’s and Sourcefire lately and I always end up connecting to AD for authentication of some sort. I thought I should document what I do and why.

  1. If I want to authenticate VPN users, I create a AAA group specifically for that.
  2. If I want to authenticate administrative sessions, I create a specific group for that as well. Why? Read on.

Let’s start out easy and progress from there. First let’s create the AAA group and add a couple of servers. I’m a CLI guy, but ASDM is easier for some of this so you’re going to get some of that today.

Let’s break down the more confusing parts. First is Scope. You should almost always set it to All levels beneath Base DN. This will allow the ASA to search the entire tree. Next is the Login DN. Here is where it can get confusing for some people. This is the full DN of the user that will be binding to AD for lookups. This account needs nothing special and I usually ask my customers to make is a read-only account. You can (and should) get the full DN from the User Account in AD. If you’re LDAP savvy, you can also use an LDAP browser.

If you look close you’ll see that part of the DistinguishedName is the displayName. Not the username, the displayName. This accounts username is actually sfr-svc, but that is not part of the DN. Always try and copy-n-paste the LDAP attributes and paths! We enter the password for the account and Apply. Use the test button to verify it’s working. If it is not, check all the syntax and “debug ldap 255” on the ASA. We can authenticate everyone, yah good…..wait, everyone…that’s bad. Yep, but we’ll start “locking it down”.

First lets tackle Administrative sessions (SSH/ASDM). Since we don’t want everyone to be able to access the ASA, lets set who can login and at what privilege level. I have Mark M. who gets level 15 and Mike R. who only gets level 3. Level 3 will be a read-only level in the future. What wee need to do is create a mapping of an LDAP attribute to something the ASA can understand, an LDAP Attribute Map. Here’s a map that sets the privilege based on who they are in AD.

ldap attribute-map Admin-Mappings
  map-name  sAMAccountName Privilege-Level
  map-value sAMAccountName mm 15
  map-value sAMAccountName mr 3

This maps the SAMAccountName of mm (Mark M.) to level 15 and the SAMAccountName of mr (Mike R.) to level 3. If we debug ldap on the ASA and test a login we’ll see it mapping.

From the CLI we can also verify

PP-FIREWALL> show curpriv
Username : mm
Current privilege level : 1
Current Mode/s : P_UNPR
PP-FIREWALL> en
Password: ****
PP-FIREWALL# show curpriv
Username : mm
Current privilege level : 15
Current Mode/s : P_PRIV
PP-FIREWALL# exit

And if we check Mike R.

PP-FIREWALL> show curpriv
Username : mr
Current privilege level : 1
Current Mode/s : P_UNPR
PP-FIREWALL> en
Password: ****
PP-FIREWALL# sh crupr
PP-FIREWALL# show curpriv
Username : mr
Current privilege level : 3
Current Mode/s : P_PRIV

Excellent that part is working. Finally we apply this LDAP Attribute Map to our AAA Server Group. Go back into your Servers under your AAA LDAP Group and add the Attribute Map.

OK. We’re now setup to properly authenticate and set the privilege level for our Admins. Don’t forget to set this group as your SSH/Enable/HTTP preferred authentication method. One thing to note (and this should be an Aha! moment), we can only have one LDAP Attribute Map per server (per AAA group really). So if we want to authenticate VPN users using LDAP, this group will not work! Easy fix though, create another AAA group. We can use the same servers in multiple groups. Create a new AAA group and call it VPN-AUTH. Add your servers and credentials just like the first group we created. This group will now authenticate VPN users. However we need to make sure it will only authenticate VPN users, not all users. We have a couple of options. We could map AD groups to a Group Policy on the ASA or we can configure Dynamic Access Policies (DAP).

 

 

 

FLIS00 00 00 0800 4100 0000 00 00 00ff ff ff ff00 0100 0300 00 00 0300 00 00 01ff ff ff ffFCIS00 00 00 1400 00 00 1000 00 00 0100 00 00 0000 00 12 3b00 00 00 0000 00 00 2000 00 00 0800 0100 0100 00 00 003918400778