jmanteau

Mon coin de toile - A piece of Web

Cisco ASA: Authorize administrative access via Active Directory LDAP

Posted at — Mar 12, 2013
Cisco ASA: Authorize administrative access via Active Directory LDAP

[]1

The attribute map which bind our group of allowed administrators to a Service Type which allow logins:

ldap attribute-map LDAP_MemberOf_ServiceType map-name  memberOf IETF-Radius-Service-Type map-value memberOf CN=G_ADMIN_SECU,OU=Groupes,DC=TEST,DC=secu 6

The Active Directory Servers. I use SSL so be sure to import the root certificate from the Active Directory to make it works.

aaa-server TEST.SECU protocol ldap aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.10 server-port 636 ldap-base-dn DC=TEST,DC=secu ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu ldap-over-ssl enable server-type microsoft ldap-attribute-map LDAP_MemberOf_ServiceType  aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.11 server-port 636 ldap-base-dn DC=TEST,DC=secu ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu ldap-over-ssl enable server-type microsoft ldap-attribute-map LDAP_MemberOf_ServiceType

To use our LDAP to allow admin access to the firewall.

user-identity default-domain LOCAL aaa authentication ssh console TEST.SECU LOCAL aaa authentication http console TEST.SECU LOCAL aaa authorization exec authentication-server

Debug commands:

debug ldap 255  debug aaa common 255