Using your Active Directory for VPN authorization on ASA

Using LDAP attribute maps

My previous article looked at directly integrating Active Directory (AD) with ASA for VPN authentication using LDAP. Taking that to the next step, this article looks at using Active Directory attributes such as Group Membership for VPN authorization.

After a successful authentication, ASA queries the LDAP server, AD in this case, for the user profile. This profile contains various attributes such as Group Membership. These attributes vary from server to server and are not understood by ASA. To overcome this limitation, ASA allows you to configure an attribute map that will map the LDAP attribute and its value to a RADIUS attribute and value pair.

To better understand how LDAP attribute-maps work, consider the output given below. This output, from the debug ldap 255 command, shows some of the attributes received from an LDAP server on successful authentication.

[1000] Authentication successful for vpnuser to 192.168.1.10

[1000] Retrieved User Attributes:

[1000]  objectClass: value = top

[1000]  objectClass: value = person

[1000]  objectClass: value = organizationalPerson

[1000]  objectClass: value = user

[1000]  cn: value = VPNUser

[1000]  givenName: value = VPNUser

[1000]  distinguishedName: value = CN=VPNUser,CN=Users,DC=test,DC=com

[1000]  memberOf: value = CN=AllVpnUsers,CN=Users,DC=test,DC=com

[1000]  sAMAccountName: value = vpnuser

Notice the memberOf attribute received from the AD. This attribute shows the Group Membership of the user. Now, if you want to change the privilege of the user based on the group membership, you can map the memberOf attribute to one of the RADIUS attributes that are used for VPN. For example, RADIUS IETF attribute 25 - Class - is used to specify the group policy which will be applied to a session. If you map the memberOf attribute to the Class attribute and further map the Group Membership value to an ASA group policy name, each time someone from the specified AD group connects, the privileges defined in the specified group policy will be applied.

You can create an LDAP attribute-map using the following command:

ldap attribute-map map-name

This command will put you in the ldap-attribute-map configuration mode. You can create a new mapping here using the following command:

map-name LDAP-attribute RADIUS-attribute

After you have created a map, you can map the values between the LDAP and RADIUS attributes. This can be done using the following command:

map-value LDAP-attribute LDAP-value RADIUS-value

The map-value command tells the ASA to assign RADIUS-value to the RADIUS-attribute, defined in the map-name command, if the value of the LDAP-attribute is equal to LDAP-value in the user profile.

Going back to the example used earlier, the following commands will map the memberOf attribute and the RADIUS Class attribute such that if the users belong to the AllVpnUsers group in AD, they will be forced into the remvpn VPN group on ASA and all policies defined in the remvpn group will be applied to the session.

ldap attribute-map myldapmap

map-name memberOf IETF-Radius-Class

map-value memberOf CN=AllVpnUsers,CN=Users,DC=testaaa,DC=com remvpn

After creating the LDAP attribute-map, you need to apply the map to the AAA server group that is being used by the tunnel group for authentication using the following commands:

aaa-server group-tag host {server-ip-address | server-name}

ldap-attribute-map map-name

LDAP attributes provide a very easy way to use Active Directory attributes such as group membership to tailor VPN access. Almost any RADIUS attribute can be used in an LDAP attribute map. A list of all the RADIUS attributes supported for LDAP mapping can be found at this link. Though this article focuses on Active Directory, the information provided can be applied to any LDAP server without much change.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.