Cisco ASA 5585 SSH LDAP Authentication

aaaauthenticationcisco-asassh

I am attempting to setup Microsoft LDAP authentication, for SSH only, for a specific security group on a Cisco ASA 5585 version 8.2(5) using the ASDM. The lookup and authentication is working, however all users are authenticated regardless of security group membership.

AAA Config:

aaa-server LDAP_mybusinessda (web) host 10.100.21.6
 server-port 636
 ldap-base-dn OU=Staff Users,OU=mybusiness,DC=mybusinessda,DC=org
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAPLookup,CN=Users,DC=mybusinessda,DC=org
 ldap-over-ssl enable
 ldap-attribute-map LDAP_memberOf_ServiceType
aaa authentication enable console LDAP_mybusinessda LOCAL
aaa authentication ssh console LDAP_mybusinessda LOCAL
ldap attribute-map LDAP_memberOf_ServiceType
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf CN=CiscoASAManagement,OU=Security,OU=Groups,OU=mybusiness,DC=mybusinessda,DC=org 6

When I connect with a user who is a member of the group, the LDAP debug shows (only pasting relevant portion:

[3185] Creating LDAP context with uri=ldaps://10.100.21.6:636
[3185] Connect to LDAP server: ldaps://10.100.21.6:636, status = Successful
[3185] supportedLDAPVersion: value = 3
[3185] supportedLDAPVersion: value = 2
[3185] Binding as LDAPLookup
[3185] Performing Simple authentication for LDAPLookup to 10.100.21.6
[3185] LDAP Search:
        Base DN = [OU=Staff Users,OU=mybusiness,DC=mybusinessda,DC=org]
        Filter  = [sAMAccountName=test_allowed_user]
        Scope   = [ONE LEVEL]
[3185] User DN = [CN=TestAllowedUser,OU=Staff Users,OU=mybusiness,DC=mybusinessda,DC=org]
[3185] Talking to Active Directory server 10.100.21.6
[3185] Binding as test_allowed_user
[3185] Performing Simple authentication for test_allowed_user to 10.100.21.6
[3185] Processing LDAP response for user test_allowed_user
[3185] Message (test_allowed_user):
[3185] Authentication successful for test_allowed_user to 10.100.21.6
[3185] Retrieved User Attributes:
[3185]  memberOf: value = CN=CiscoASAManagement,OU=Security,OU=Groups,OU=mybusiness,DC=mybusinessda,DC=org
[3185]          mapped to IETF-Radius-Service-Type: value = 6

Even if I remove the ldap-attribute-map from the aaa-server, all users are still authenticated, and the debug simply doesn't show the mapped to IETF-Radius-Service-Type. What is wrong here?

Also, I can't tag this LDAP because of my rep. Unfortunate.

EDIT:
I may end up doing this with RADIUS, as the rest of the Cisco devices support RADIUS auth and it would unify all my Cisco devices. It appears this method of LDAP auth may only work for VPN also.

Best Answer

EDIT: Oops, I just re-read your question and I believe you are hoping to limit who can SSH to your ASA using the "ldap-attribute-map". As far as I know, the LDAP Attribute Map feature is only used for modifying VPN access, not management access to the ASA itself. I'll leave my original answer below in case you (or anyone else) finds it helpful)

The LDAP attribute map allows you to 'override' policies that are inherited from the "default-group-policy" command in the tunnel group for this particular VPN. So in essence, what you need to do is have it so the default-group-policy allows no access, but group-policy 6 allows full access (or whatever access you desire).

Without seeing the rest of your configuration, its hard to give you exact configurations you will need, but here is an effective summary:

tunnel-group TG-SVC-VPN type remote-access
tunnel-group TG-SVC-VPN general-attributes
  authentication-server-group LDAP_mybusinessda
  default-group-policy GP-SVC-NO-ACCESS
tunnel-group TG-SVC-VPN webvpn-attributes
  group-alias Default enable

group-policy GP-SVC-NO-ACCESS internal
group-policy GP-SVC-NO-ACCESS attributes
  vpn-simultaneous-logins 0

group-policy 6 internal
group-policy 6 attributes
  vpn-simultaneous-logins 1
  [vpn-filter ...]
  [ip pool ...]
  [etc]

This will make it so that anyone that authenticates against your tunnel group is not allowed to connect... EXCEPT if they match your LDAP attribute map which overrides the "simultaneous logins" setting from 0 to 1.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA 5505 stop passing traffic randomly

The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot

IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside

So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco ASA 5505 stop passing traffic randomly

Related Topic