A lot of times, we use RADIUS and TACACS+ servers to perform AAA functions on the Cisco ASA. However, the Cisco ASA can also integrate directly with LDAP (lightweight directory access protocol) servers to perform these AAA functions. Examples of LDAP servers that the Cisco ASA can operate with include Microsoft Active Directory, OpenLDAP, and Novell.

Note: You may be aware that the Microsoft Active Directory (and other LDAP servers) can be integrated with the Cisco Secure ACS or ISE as external identity stores. However, what we are dealing with in this article is direct integration with LDAP servers, bypassing the Cisco Secure ACS/ISE.

In this article, we will be using a simple lab setup as shown below:

As shown in the diagram above, I will be using OpenLDAP, which you can download here. I have installed mine on an Ubuntu system following a guide here. In my setup, I am using a domain of example.com and I have created two organizational unit (OU): “groups” and “users” and I have also added two users: “netadmin” and “salesuser.”

Note: If you are using Microsoft Active Directory, you don’t have to create the OUs that I did because groups and users are already default objects on the Microsoft AD.

Before we begin our configuration on the ASA, there are some attributes we will be configuring that I would like to explain first:

  • ldap-base-dn: This is located in the hierarchy that we want to start searching from. If we want to search through whole domain, then we can begin from the top. e.g., dc=example,dc=com. However, if we want to restrict it to a certain group (e.g., sales), then it could be ou=sales,dc=example,dc=com
  • ldap-login-dn: The distinguished name (DN) that the ASA will use to bind with the LDAP server. This DN should have sufficient privileges to be able to search users on the LDAP server.
  • ldap-login-password: The password of the DN we will be using to bind to the LDAP server
  • ldap-scope: This specifies how deep in the hierarchy the server should search. The options are “onelevel,” meaning just one level below the base DN, or “subtree,” meaning all levels below the base DN. Of course searching one level below the base DN is faster but, for a more extensive search, use subtree.
  • ldap-naming-attribute: This is the relative distinguished name attribute of an object on the LDAP server. This attribute must uniquely identify that object. For example, many users may have “John” as a first name, but a unique identity may be the email address of users, e.g. johndoe@example.com versus johnstone@example.com. Commonly used attributes include the common name (cn), user ID (UID), and sAMAccountName (default for Microsoft Active Directory).
  • server-type: The type of LDAP server. Options include auto-detect, novell, openldap, sun, and microsoft. If a server type is not specified, the default is that the ASA will try to automatically detect the LDAP server.

Now that we have seen the attributes we need to configure, let’s relate it to our lab setup. If we assume that all the users that we want to authenticate will be under “ou=users,” it means we can set our base DN as “ou=users,dc=example,dc=com”. Also, we will just search one level below the base DN, so our scope will be “onelevel.”

A default “admin” DN comes with openLDAP (“cn=admin,dc=example,dc=com”) so we can use this for the login DN and specify the password for that login DN. Finally, we will set the naming attribute to two different options: we will start with CN and then we will use UID.

As such, the configuration on the ASA is as follows:

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.56.1 255.255.255.0
!
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 192.168.56.101
 ldap-base-dn ou=users,dc=example,dc=com
 ldap-naming-attribute cn
 ldap-login-password cisco123
 ldap-login-dn cn=admin,dc=example,dc=com
 server-type auto-detect

The details of the two users (netadmin and salesuser) I have created are as shown below:

# netadmin, users, example.com
dn: cn=netadmin,ou=users,dc=example,dc=com
givenName: Network
gidNumber: 502
homeDirectory: /home/users/nadmin
sn: Admin
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: netadmin1
cn: netadmin

# salesuser, users, example.com
dn: cn=salesuser,ou=users,dc=example,dc=com
givenName: Sales
gidNumber: 501
homeDirectory: /home/users/salesuser1
sn: User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
uid: salesuser1
cn: salesuser

We can test our configuration by using the test aaa-server command on the ASA. I will also enable LDAP debugging so that we can see the authentication process:

ciscoasa# debug ldap 255
debug ldap  enabled at level 255
ciscoasa#
ciscoasa# test aaa-server authentication LDAP_SRV_GRP host 192.168.56.101 username netadmin password cisco123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
[1] Session Start
[1] New request Session, context 0xbc112828, reqType = Authentication
[1] Fiber started
[1] Creating LDAP context with uri=ldap://192.168.56.101:389
[1] Connect to LDAP server: ldap://192.168.56.101:389, status = Successful
[1] supportedLDAPVersion: value = 3
[1] supportedSASLMechanisms: value = DIGEST-MD5
[1] supportedSASLMechanisms: value = CRAM-MD5
[1] supportedSASLMechanisms: value = NTLM
[1] Binding as admin
[1] Performing Simple authentication for admin to 192.168.56.101
[1] LDAP Search:
Base DN = [ou=users,dc=example,dc=com]
Filter = [cn=netadmin]
Scope = [ONE LEVEL]
[1] User DN = [cn=netadmin,ou=users,dc=example,dc=com]
[1] Server type for 192.168.56.101 unknown - no password policy
[1] Binding as netadmin
[1] Performing Simple authentication for netadmin to 192.168.56.101
[1] Processing LDAP response for user netadmin
[1] Authentication successful for netadmin to 192.168.56.101
[1] Retrieved User Attributes:
[1] givenName: value = Network
[1] gidNumber: value = 502
[1] homeDirectory: value = /home/users/nadmin
[1] sn: value = Admin
[1] objectClass: value = inetOrgPerson
[1] objectClass: value = posixAccount
[1] objectClass: value = top
[1] userPassword: value = cisco123
[1] uidNumber: value = 1000
[1] uid: value = netadmin1
[1] cn: value = netadmin
[1] Fiber exit Tx=321 bytes Rx=443 bytes, status=1
[1] Session End
INFO: Authentication Successful

In the output above, we see that the ASA first successfully connected to the LDAP server and then tried to bind with the “admin” DN that we configured. Since that was successful, the ASA went on to search for the “cn=netadmin” user on the LDAP server. Notice the Base DN and scope that we configured. When the “netadmin” user was found, the ASA tries to bind to the LDAP server using the supplied password and, since that was successful, we see that the authentication was successful and the user attributes were successfully retrieved. You can also go ahead and test the “salesuser.”

Since we specified that the naming attribute should be “cn,” if we try to authenticate using the UID, for example, this will fail. For example, the CN of the sales user is “salesuser” while its UID is “salesuser1”. The output below shows that authentication using the UID fails:

ciscoasa# test aaa-server authentication LDAP_SRV_GRP host 192.168.56.101 username salesuser1 password cisco123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
[3] Session Start
[3] New request Session, context 0xbc112828, reqType = Authentication
[3] Fiber started
[3] Creating LDAP context with uri=ldap://192.168.56.101:389
[3] Connect to LDAP server: ldap://192.168.56.101:389, status = Successful
[3] supportedLDAPVersion: value = 3
[3] Binding as admin
[3] Performing Simple authentication for admin to 192.168.56.101
[3] LDAP Search:
Base DN = [ou=users,dc=example,dc=com]
Filter = [cn=salesuser1]
Scope = [ONE LEVEL]
[3] User salesuser1 not found
[3] Fiber exit Tx=263 bytes Rx=139 bytes, status=-1
[3] Session End
ERROR: Authentication Rejected: User was not found

Let’s now go and change the naming attribute under the Cisco ASA configuration:

aaa-server LDAP_SRV_GRP (inside) host 192.168.56.101
 ldap-naming-attribute uid

If we test our authentication again using the UID, it will succeed:

ciscoasa# test aaa-server authentication LDAP_SRV_GRP host 192.168.56.101 username salesuser1 password cisco123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
[4] Session Start
[4] New request Session, context 0xbc112828, reqType = Authentication
[4] Fiber started
[4] Creating LDAP context with uri=ldap://192.168.56.101:389
[4] Connect to LDAP server: ldap://192.168.56.101:389, status = Successful
[4] supportedLDAPVersion: value = 3
[4] Binding as admin
[4] Performing Simple authentication for admin to 192.168.56.101
[4] LDAP Search:
Base DN = [ou=users,dc=example,dc=com]
Filter = [uid=salesuser1]
Scope = [ONE LEVEL]
[4] User DN = [cn=salesuser,ou=users,dc=example,dc=com]
[4] Server type for 192.168.56.101 unknown - no password policy
[4] Binding as salesuser1
[4] Performing Simple authentication for salesuser1 to 192.168.56.101
[4] Processing LDAP response for user salesuser1
[4] Authentication successful for salesuser1 to 192.168.56.101
[4] Retrieved User Attributes:
[4] givenName: value = Sales
[4] gidNumber: value = 501
[4] homeDirectory: value = /home/users/salesuser1
[4] sn: value = User
[4] objectClass: value = inetOrgPerson
[4] objectClass: value = posixAccount
[4] objectClass: value = top
[4] userPassword: value = {MD5}B5gsVdsrmYXTOR8C5jnbnA==
[4] uidNumber: value = 1001
[4] uid: value = salesuser1
[4] cn: value = salesuser
[4] Fiber exit Tx=325 bytes Rx=469 bytes, status=1
[4] Session End
INFO: Authentication Successful

Cool! Now that we have tested our configuration and seen that the ASA can successfully authenticate users against the LDAP server, you can go on to use this for AAA services, such as Telnet/SSH authentication, VPN authentication, and so on.

Summary

In this article, we have covered LDAP authentication on the Cisco ASA. What is even more fun is using the LDAP server for authorization where users are mapped to different policies based on certain attributes on the LDAP server. Maybe we will consider that in another article.

I hope you have found this article informative.

Reference and Further Reading