Showing posts with label ASA. Show all posts
Showing posts with label ASA. Show all posts

Friday, June 17, 2011

Use LDAP Authentication to Assign a Group Policy at Login

Finally after some head scratching, it worked! Now I can permit only AD users belong to
a certainAD group to connect to our ASA by anyconnect client.

If you did some research already, you might already know about step 1 and 2 but
the making work is all about step 3!

Step 1: Define your AD and your profile, explained here:

http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx

Step 2: The memberOf attribute is mapped to Radius-IETF-Class by the configured LDAP Attibute map:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Note: This part need to be done in CLI:

ciscoasa(config)#ldap attribute-map CISCOMAP
ciscoasa(config-ldap-attribute-map)#map-name memberOf IETF-Radius-Class
ciscoasa(config-ldap-attribute-map)#map-value memberOf CN=Employees,CN=Users,
DC=yourplace,DC=com ExamplePolicy1

Now you can do the rest in ASDM.


Step 3: The Ldap attribute map created in previous steps just bind the group-policy to the user.If you want to restrict the access, you need DAP.

http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml


So now you just need to create a DAP policy to reject users belong to this connection profile
and not part of the AD group:








Troubleshooting:

debug dap trace
debug ldap 255
Posted by TShoot at 11:11 AM 0 comments
Labels: , ,

Tuesday, April 12, 2011

Finally Working GNS3 ASA/ASDM6.31 on Ubuntu 10 & 11

I was struggling to tftp asdm-631.bin file to a running ASA and keep getting an error message
right after uploading 2MB! So, I found a way to transfer it offline!

On your machine that runs GNS3,

$ sudo -i

(find the GNS3 tmp file for your ASA)
Turn off ASA1 (I assumed you are working on ASA1)

# cd /opt/GNS3/tmp/ASA1
# rename/delete the current FLASH (you will loose all the modifications!)
# qemu-img create FLASH 256M
# qemu-img info /opt/GNS3/tmp/ASA1/FLASH

Turn it on and let the FLASH get initialized and then turn it back off.

# losetup /dev/loop0 FLASH
# kpartx -av /dev/loop0
# ls -alF /dev/mapper/
# mkdir test
# mount /dev/mapper/loop0p1 test/
# cp /root/asdm-631.bin test/lina-data/1/soft/
# umount test/
# sync
# kpartx -d /dev/loop0
# losetup /dev/loop0 -d

Start ASA1 and you should be able to see ASDM file on your flash!
and can be configure your ASA for ASDM access.



Ref:
------------------------------------------------------------------------------------------------------
http://goo.gl/1I1rA (mount a qemu image)
http://goo.gl/C6JcS (how to emulate ASA8.0(2) without proxy!)
http://goo.gl/c3aRl (patch compile qemu0.13+UDP patch)
http://goo.gl/90STb (recompile kernel / set HZ=1000)

Original Issue:
------------------------------------------------------------------------------------------------------
Accessing tftp://10.10.10.1/asdm631.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm631.bin...
Losing too many ticks!
TSC cannot be used as a timesource.
Possible reasons for this are:
You're running with Speedstep,
You don't have DMA enabled for your hard disk (see hdparm),
Incorrect TSC synchronization on an SMP system (see dmesg).
Falling back to a sane timesource now.

Posted by TShoot at 1:51 PM 9 comments
Labels: , , ,
Subscribe to: Posts (Atom)