Trying to authorize Cisco AnConnect Users by using UCS as LDAP server

Hello everybody,

I’m a self-employed cisco engineer and I’m currently implementing a Cisco AnyConnect solution to one of my customers. The customer wants to authenticate against his UCS (AD-)Server using LDAP (as far as I have found out: openLDAP being used in UCS).

I was already able to:

  • Create auser being allowed to quey the LDAP
  • Authenticate users being stored within the LDAP

Now I’m struggling on how to select special access rights depending on the LDAP group membership. The Cisco ASA usually uses the “memberOf” feature from Microsoft.
I have tried the same configuration with UCS but debugging the ASA I have found out that there is no “memberOf” information retreived by querying the ASA.

I have set up a test environment and I can provide you the information sent from UCS server to my test ASA:

[72] Session Start
[72] New request Session, context 0x00007f48b25f69e0, reqType = Authentication
[72] Fiber started
[72] Creating LDAP context with uri=ldap://10.1.1.21:7389
[72] Connect to LDAP server: ldap://10.1.1.21:7389, status = Successful
[72] supportedLDAPVersion: value = 3
[72] Binding as asafirewall
[72] Performing Simple authentication for asafirewall to 10.1.1.21
[72] LDAP Search:
Base DN = [dc=home,dc=emmer,dc=it]
Filter = [uid=meiers]
Scope = [SUBTREE]
[72] User DN = [uid=meiers,cn=users,dc=home,dc=emmer,dc=it]
[72] Server type for 10.1.1.21 unknown - no password policy
[72] Binding as meiers
[72] Performing Simple authentication for meiers to 10.1.1.21
[72] Processing LDAP response for user meiers
[72] Authentication successful for meiers to 10.1.1.21
[72] Retrieved User Attributes:
[72] uid: value = meiers
[72] krb5PrincipalName: value = meiers@HOME.TEST.COM
[72] objectClass: value = krb5KDCEntry
[72] objectClass: value = organizationalPerson
[72] objectClass: value = automount
[72] objectClass: value = top
[72] objectClass: value = inetOrgPerson
[72] objectClass: value = sambaSamAccount
[72] objectClass: value = person
[72] objectClass: value = univentionPWHistory
[72] objectClass: value = shadowAccount
[72] objectClass: value = univentionObject
[72] objectClass: value = univentionMail
[72] objectClass: value = krb5Principal
[72] objectClass: value = posixAccount
[72] uidNumber: value = 2010
[72] sambaAcctFlags: value = [U ]
[72] sambaBadPasswordCount: value = 0
[72] krb5MaxLife: value = 86400
[72] shadowLastChange: value = 18418
[72] cn: value = Sepp Meier
[72] krb5MaxRenew: value = 604800
[72] sambaBadPasswordTime: value = 0
[72] loginShell: value = /bin/bash
[72] univentionObjectType: value = users/user
[72] gidNumber: value = 5001
[72] sambaPrimaryGroupSID: value = S-1-5-21-518492613-3244399625-516087504-513
[72] displayName: value = Sepp Meier
[72] gecos: value = Sepp Meier
[72] sn: value = Meier
[72] homeDirectory: value = /home/meiers
[72] givenName: value = Sepp
[72] sambaSID: value = S-1-5-21-518492613-3244399625-516087504-1114

As you can see, the user “asafirewall” is able to query for the user “meiers” to login. It retreives a lot of information - but not the memberOf. And that’s why I can not create access lists based on the group membership.

Does anyone have a clue on how to get the “memberOf” working between the Cisco ASA and the UCS server?

Thanks a lot in advance for any kind of support which is always much appreciated!

Hi,

in an UCS domain there may be two LDAP-Server openLDAP (default) and Samba 4 (additionally).

You get the OpenLDAP memberOf attribute only if it’s requested explicitly. I think the easiest way would be to use the Samba 4 LDAP if available.