Friday, February 18, 2011

How to configure LDAP access for an ASA 5505

Assumptions:

  • ASDM is already installed
  • You know the password to the ASA
Launch ASDM and select Configuration from the top bar.  On the left hand bard, select Remote Access VPN.  You then should see a heading that says AAA/Local Users. After clicking the + sign, select AAA Server Groups.  You should now see an add button on the right hand side of the screen.  Click add and make up a name for the server group.  This can be anything.  Also set the settings below.

Reactivation Mode: Depletion
Dead Time: 10 Minutes (this was the default setting)
Max Failed Attempts: 3 (this was the default setting)

Click Ok.  You should now see that in the AAA Server Group box at the top of the page.   Highlight the newly created group and click add button beside the servers in the selected group box.  This is what it should be set to:


Interface Name: Inside
Servername or IP Address: Your active directory server IP
Timeout: 10 seconds
Enable LDAP over SSL: Unchecked (this is up to your current setup)
Server Port: 389
Server Type: Microsoft
Base DN: dc=example,dc=com (see note below on how to find this and your user name)
Naming Attribute(s): sAMAccountName
Login DN: CN=John Doe,OU=Custom Users,DC=example,dc=com
Login Password:  Type the password to the user
LDAP Attribute Map: None

Everything else was just left as default.  Click ok, then click apply.  Highlight the server IP in the box and click the test button.  You will see a box pop up.  You will want to choose the Authentication button and type your active directory username and password.  If everything is configured correctly, you should get a message saying "Authentication test to host ip is successful."

***Note:*** Now I had some problems when configuring this.  The first problem I felt deserved its own post.  It's here.

The second problem was getting the right syntax for the LDAP part of it.  You can refer to my post that talks about dsquery more in depth.  It could help you.  It is here.  The two commands that will help you the most are:

dsquery user (This lists every single user.  I only have maybe 20 users so if you have alot more then this, you can use some more specific switches to narrow it down).

dsquery computer (This will show you all the computers.  Same possible problem with dsquery user.  The big thing here is all you need is the dc part of the results).

ShareThis