Cisco ASA: Authorize administrative access via Active Directory LDAP

Posted by & filed under Informatique, Sécurité.

Cisco-new-logo

The attribute map which bind our group of allowed administrators to a Service Type which allow logins:

ldap attribute-map LDAP_MemberOf_ServiceType
map-name  memberOf IETF-Radius-Service-Type
map-value memberOf CN=G_ADMIN_SECU,OU=Groupes,DC=TEST,DC=secu 6

The Active Directory Servers. I use SSL so be sure to import the root certificate from the Active Directory to make it works.

aaa-server TEST.SECU protocol ldap
aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.10
server-port 636
ldap-base-dn DC=TEST,DC=secu
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MemberOf_ServiceType

aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.11
server-port 636
ldap-base-dn DC=TEST,DC=secu
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MemberOf_ServiceType

To use our LDAP to allow admin access to the firewall.

user-identity default-domain LOCAL
aaa authentication ssh console TEST.SECU LOCAL
aaa authentication http console TEST.SECU LOCAL
aaa authorization exec authentication-server

Debug commands:

debug ldap 255

debug aaa common 255

 

2 Responses to “Cisco ASA: Authorize administrative access via Active Directory LDAP”

  1. Finally!

    Thank you for this post. Straight forward and to the point. After spending hours going through Cisco config docs, this is exactly what I needed.

    Répondre

Leave a Reply