【備忘録】 ASA : LDAP 連携の設定

Windows Server にて構成した Active Directory と Cisco ASA での LDAP 連携
IETF-Radius-Class を利用して、group-policy の割り当ても試しています。

(1) ASA の設定

aaa-server ldap-rororina protocol ldap
aaa-server ldap-rororina (inside) host MAYU-PC
ldap-base-dn ou=Totooria-Helmold,dc=rororinaad,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator,cn=Users,dc=rororinaad,dc=local
server-type microsoft
ldap-attribute-map VPN-LDAP-MAP
!
group-policy IPSecVPN_USER internal
group-policy IPSecVPN_USER attributes
vpn-filter value split_acl
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_acl
default-domain value Schwarzlank.rororinaad.local
address-pools value VPN-POOL-IP
!
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL-IP
authentication-server-group ldap-rororina

(2) test command にて LDAP 登録ユーザで接続

Schwarzlank# test aaa-server authentication ldap-rororina username Merurulince password *******
Server IP Address or name: 192.168.10.10
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful

(3) テスト接続の際の debug log

[-2147483645] Session Start
[-2147483645] New request Session, context 0xcc23846c, reqType = Authentication
[-2147483645] Fiber started
[-2147483645] Creating LDAP context with uri=ldap://192.168.10.10:389
[-2147483645] Connect to LDAP server: ldap://192.168.10.10:389, status = Successful
[-2147483645] supportedLDAPVersion: value = 3
[-2147483645] supportedLDAPVersion: value = 2
[-2147483645] Binding as Administrator
[-2147483645] Performing Simple authentication for Administrator to 192.168.10.10
[-2147483645] LDAP Search:
Base DN = [ou=Totooria-Helmold,dc=rororinaad,dc=local]
Filter = [sAMAccountName=Merurulince]
Scope = [SUBTREE]
[-2147483645] User DN = [CN=Merurulince Rade Arls,OU=Totooria-Helmold,DC=RororinaAD,DC=local]
[-2147483645] Talking to Active Directory server 192.168.10.10
[-2147483645] Reading password policy for Merurulince, dn:CN=Merurulince Rade Arls,OU=Totooria-Helmold,DC=RororinaAD,DC=local
[-2147483645] Read bad password count 0
[-2147483645] Binding as Merurulince
[-2147483645] Performing Simple authentication for Merurulince to 192.168.10.10
[-2147483645] Processing LDAP response for user Merurulince
[-2147483645] Message (Merurulince):
[-2147483645] Authentication successful for Merurulince to 192.168.10.10
[-2147483645] Retrieved User Attributes:
[-2147483645] objectClass: value = top
[-2147483645] objectClass: value = person
[-2147483645] objectClass: value = organizationalPerson
[-2147483645] objectClass: value = user
[-2147483645] cn: value = Merurulince Rade Arls
[-2147483645] sn: value = Merurulince
[-2147483645] givenName: value = Rade Arls
[-2147483645] distinguishedName: value = CN=Merurulince Rade Arls,OU=Totooria-Helmold,DC=RororinaAD,DC=local
[-2147483645] instanceType: value = 4
[-2147483645] whenCreated: value = 20121101061432.0Z
[-2147483645] whenChanged: value = 20121107073816.0Z
[-2147483645] displayName: value = Merurulince Rade Arls
[-2147483645] uSNCreated: value = 13862
[-2147483645] uSNChanged: value = 16677
[-2147483645] name: value = Merurulince Rade Arls
[-2147483645] objectGUID: value = ..*….@…vp.K.
[-2147483645] userAccountControl: value = 512
[-2147483645] badPwdCount: value = 0
[-2147483645] codePage: value = 0
[-2147483645] countryCode: value = 0
[-2147483645] badPasswordTime: value = 129967474234431932
[-2147483645] lastLogoff: value = 0
[-2147483645] lastLogon: value = 129967475050255283
[-2147483645] pwdLastSet: value = 129967474960076301
[-2147483645] primaryGroupID: value = 513
[-2147483645] objectSid: value = …………m..k.I.S.W..^…
[-2147483645] accountExpires: value = 9223372036854775807
[-2147483645] logonCount: value = 0
[-2147483645] sAMAccountName: value = Merurulince
[-2147483645] sAMAccountType: value = 805306368
[-2147483645] userPrincipalName: value = Merurulince@RororinaAD.local
[-2147483645] mapped to IETF-Radius-Class: value = IPSecVPN_USER
[-2147483645] mapped to LDAP-Class: value = IPSecVPN_USER
[-2147483645] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=RororinaAD,DC=local
[-2147483645] Fiber exit Tx=624 bytes Rx=2228 bytes, status=1
[-2147483645] Session End
INFO: Authentication Successful

コメントをどうぞ