Authorization With Ldap For Vpn - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 13
Configuring AAA Servers and the Local Database
hostname(config-aaa-server-host)#
Setting the LDAP Server Type
The security appliance supports LDAP Version 3 and, therefore, is compatible with any LDAP V3 or V2
server. However, it supports authentication and password management features only on the Sun
Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the
Microsoft Active Directory. For example, the security appliance supports automated reset of an expired
password without manual intervention by a system administrator with either a Sun or Microsoft LDAP
server. With any other type of LDAP server, such as a Novell or OpenLDAP server, it only supports
LDAP authorization functions and CRL (certificate revocation list) retrieval.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP
directory server. However, if auto-detection fails to determine the LDAP server type, and you know the
server is either a Microsoft or Sun server, you can manually configure the server type. The following
example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# server-type sun
hostname(config-aaa-server-host)#
Note
•
•
Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP
server which returns LDAP attributes. These attributes generally include authorization data that applies
to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.
To set up VPN user authorization using LDAP, you must first create a AAA server group and a tunnel
group. You then associate the server and tunnel groups using the tunnel-group general-attributes
command. While there are other authorization-related commands and options available for specific
requirements, the following example shows fundamental commands for enabling user authorization with
LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that
new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname(config-general)# authorization-server-group ldap_dir_1
hostname(config-general)#
OL-10088-01
Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
AAA Server and Local Database Support
Cisco Security Appliance Command Line Configuration Guide
13-7
Advertisement
Table of Contents
Troubleshooting
