Здравствуйте.
Хочу настроить удаленный доступ пользователями, с помощью Cisco VPN Client, через ASA 5510 c авторизацией в Microsoft AD.
То есть, пользователь авторизуется с помощью своей доменной учетной записи, а ASA проверяет наличие учетки в определенной группе.
Начитавшись мануалов и других источников получилось нечто такое:ldap attribute-map MAP-ALLOWVPNUSERS
map-name memberOf IETF-Radius-Class
map-value memberOf CN=vpnusers,OU=staff,DC=ovk,DC=ru vpn-policy
aaa-server LDAP protocol ldap
aaa-server LDAP (LAN) host 132.147.160.23
ldap-base-dn DC=ovk,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldapuser,OU=staff,DC=ovk,DC=ru
server-type auto-detect
ldap-attribute-map MAP-ALLOWVPNUSERS
group-policy noaccessvpn internal
group-policy noaccessvpn attributes
vpn-simultaneous-logins 0
group-policy vpn-policy internal
group-policy vpn-policy attributes
dns-server value 132.147.160.23
vpn-simultaneous-logins 100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote-client-vpn_splitTunnelAcl
default-domain value ovk.ru
tunnel-group remote-client-vpn type remote-access
tunnel-group remote-client-vpn general-attributes
address-pool remote-client-vpn-pool
authentication-server-group LDAP
default-group-policy noaccessvpn
tunnel-group remote-client-vpn ipsec-attributes
pre-shared-key *****
Однако не получается подключиться, клиент выдает auth fail.
Если убрать default-group-policy noaccessvpn, то подключает всех подряд.
Дебаг ldap:
[1724] Session Start
[1724] New request Session, context 0xda46c980, reqType = Authentication
[1724] Fiber started
[1724] Creating LDAP context with uri=ldap://132.147.160.23:389
[1724] Connect to LDAP server: ldap://132.147.160.23:389, status = Successful
[1724] supportedLDAPVersion: value = 3
[1724] supportedLDAPVersion: value = 2
[1724] LDAP server 132.147.160.23 is Active directory
[1724] Binding as ldapuser
[1724] Performing Simple authentication for ldapuser to 132.147.160.23
[1724] LDAP Search:
Base DN = [DC=ovk,DC=ru]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[1724] User DN = [CN=Тест,OU=Staff,DC=ovk,DC=ru]
[1724] Talking to Active Directory server 132.147.160.23
[1724] Reading password policy for test, dn:CN=Тест,OU=Staff,DC=ovk,DC=ru
[1724] Read bad password count 0
[1724] Binding as test
[1724] Performing Simple authentication for test to 132.147.160.23
[1724] Processing LDAP response for user test
[1724] Message (test):
[1724] Authentication successful for test to 132.147.160.23
[1724] Retrieved User Attributes:
[1724] objectClass: value = top
[1724] objectClass: value = person
[1724] objectClass: value = organizationalPerson
[1724] objectClass: value = user
[1724] cn: value = ........
[1724] sn: value = ........
[1724] description: value = ................ ............
[1724] givenName: value = ........
[1724] distinguishedName: value = CN=........,OU=Staff,DC=ovk,DC=ru
[1724] instanceType: value = 4
[1724] whenCreated: value = 20061024085834.0Z
[1724] whenChanged: value = 20150413091831.0Z
[1724] displayName: value = ........
[1724] uSNCreated: value = 24618
[1724] memberOf: value = CN=vpnusers,OU=Staff,DC=ovk,DC=ru
[1724] mapped to IETF-Radius-Class: value = CN=vpnusers,OU=Staff,DC=ovk,DC=ru
[1724] mapped to LDAP-Class: value = CN=vpnusers,OU=Staff,DC=ovk,DC=ru
[1724] uSNChanged: value = 19742125
[1724] name: value = ........
[1724] objectGUID: value = K_f;...O...8.g.j
[1724] userAccountControl: value = 66048
[1724] badPwdCount: value = 0
[1724] codePage: value = 0
[1724] countryCode: value = 0
[1724] badPasswordTime: value = 130733799520846615
[1724] lastLogoff: value = 0
[1724] lastLogon: value = 130734513764171744
[1724] pwdLastSet: value = 130564349254352636
[1724] primaryGroupID: value = 513
[1724] userParameters: value = m: d.
[1724] objectSid: value = ............h..P.v.....bp...
[1724] adminCount: value = 1
[1724] accountExpires: value = 9223372036854775807
[1724] logonCount: value = 7098
[1724] sAMAccountName: value = test
[1724] sAMAccountType: value = 805306368
[1724] userPrincipalName: value = test@ovk.ru
[1724] lockoutTime: value = 0
[1724] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=ovk,DC=ru
[1724] mSMQSignCertificates: value = ....x~UB..lQ.X...sF=Fz.....F...W..7.....0...0............ZU0...*.H.......0t1.0..
[1724] mSMQDigests: value = x~UB..lQ.X...sF=
[1724] msNPAllowDialin: value = FALSE
[1724] dSCorePropagationData: value = 20141003061926.0Z
[1724] dSCorePropagationData: value = 20141003061926.0Z
[1724] dSCorePropagationData: value = 20141003061926.0Z
[1724] dSCorePropagationData: value = 20140414035436.0Z
[1724] dSCorePropagationData: value = 16010108151056.0Z
[1724] lastLogonTimestamp: value = 130733902970409039
[1724] mail: value = test@ovk.ru
[1724] Fiber exit Tx=544 bytes Rx=3541 bytes, status=1
[1724] Session End
Пробовал менять map-name memberOf IETF-Radius-Class на map-name memberOf Group-Policy
результат также отрицательный.
Прошу помощи коллективного разума :)
Версия для распечатки
cisco asa vpn + ldap, 
gav21, 15-Апр-15, 05:05 [смотреть все]
