Wednesday, May 7, 2008

Cisco ASA SSL VPN LDAP Attribute Maps

by Mark Lambiase, MultiFactor Corp

VPNs are an important part of the business landscape, securely extending resources and information to people outside of the corporate network. Within an organization, though, there are often different classes of users that require access to different resources or should be granted different levels of access. In itself this is not difficult to do, but there are tools available to reduce the administrative overhead of creating a network that grants different permissions to different groups. LDAP Attribute Maps are a great way to extend a resource many companies already maintain, Windows® Active Directory, to control permissions granted by the Cisco® ASA 8.x SSL VPN.

LDAP attributes are fields of data associated with a user record in an LDAP database. The data can be almost anything, but in Windows Active Directory there are numerous pre-defined fields. An example of two of these are group-membership and the framed-ip-address.

Almost any field in an LDAP user record can be leveraged by the Cisco® SSL VPN.

We are going to introduce LDAP attribute mapping by describing how to configure group mappings, and assigning a framed-ip-address to a user.

Mapping an AD Group to a Group Policy

Many organizations make use of group membership in Active Directory for various purposes. Extending these existing groups to secure remote access makes sense. With the Cisco SSL VPN on ASA 8.x+ this can provide for a variety of benefits. Groups can be presented group-specific bookmarks in the portal, they can be assigned different IP address pools for the AnyConnect client, and different SSL VPN functions can be controlled based on Active Directory group membership.

There are a few things to note before applying group mappings based on LDAP membership. Permissions for an active session are built up. First, a default Group Policy is applied based on the Connection Profile that is assigned to the session. Next, Group Policy Mappings assign additional rules or functions. Group Policies are containers for numerous settings. The settings can be enumerated, or they can be left to inherit the setting from the default policy. A third, additional tool, available in SSL VPN is Dynamic Access Policies, which can also assign functionality to a session based on various AAA and endpoint attributes, but is outside the scope of this document.

LDAP Attribute Maps are created in the ASA, and then applied to servers in AAA Server Groups.

To create the LDAP Attribute Map in ASDM navigate to Remote Access VPN > AAA Setup > LDAP Attribute Map. Once there you can Add, Edit and Delete the maps.

The screen-shot below shows an LDAP Attribute Map with two elements; the group mapping, and the framed-ip-address:

In order to map AD groups to ASA SSL VPN Group Policies we will need to know several things:

- The AD group name

- The SSL VPN Group Policy name

- The LDAP attribute name

- The Cisco attribute name

We will use, as an example, a VPN Group Policy named Group-Policy-Engineering
and an AD group of Engineering.

The LDAP attribute name is a little tricky. It may take some research to find exactly what the name of the field is that you wish to apply to settings on sessions in your SSL VPN. The groups associated with an account in AD are enumerated as a value in a

field, though, so you won't need to go looking for this one. Note that the field name is case specific and MUST be entered
with the capital 'O'.

Additionally, you have to know what this maps to on the Cisco side. Groups are defined for the VPN as

. The number of names to bind to on the Cisco side are numerous, as you will note from the drop down menu when configuring your mapping.

Once you have set up the Customer Name and the Cisco Name click on the 'Add' button.

Next we will need to map the LDAP value Engineering to the Cisco value Group-Policy-Engineering. This is done by gong to the Map Value tab shown in the screen-shot above, and adding the Map Value.

You can add as many Map Values as you like, but, not all of them can be applied to a single session. Only one Group Policy can be assigned to each VPN session. This means that if a user is a member of multiple AD groups that have mappings defined, only one mapping will be able to be applied. And, it is going to work on a first match basis. When a user authenticates to the ASA with AAA LDAP the ASA will pull the entire user profile from the LDAP server. You can see all of the values available to the ASA by issuing the command 'debug ldap 255' at the command line on the ASA, and you will note that AD supplies group membership in alphabetical order.

The final step in mapping AD groups to VPN Group Policies is to bind the LDAP Attribute Map to the AAA Server. In ADSM navigate to Remote Access VPN > AAA Setup > AAA Server Group (or Device Management > Users/AAA > AAA Server Groups) and choose the AAA Server Group that you have configured for LDAP authentication.

Next you will have to edit each server in the AAA Server Group and apply the LDAP Attribute Map:

Configuring Framed-IP Address Mappings

A framed-IP-address is an IP address that is configured in the AAA server and bound to a specific user. This can be a useful way to limit access for users via IP address based rules throughout the network, using firewalls, router ACL, or other means. You can either allow more access to the framed-ip-address than other users assigned the same Group Policy, or you can create stricter controls and limits based on the framed-ip-address. It also provides for a method of creating a discreet audit trail, knowing that certain users will always be assigned a certain IP address.

First, a few things to note about using framed-ip-addresses.

Since you can only frame one IP address per user account you should limit the number of simultaneous accesses in the Group Policy to 1. The ASA will not assign the same IP address to multiple clients, and will fall back to the assigned pool if the users attempts to create multiple sessions. This will defeat the purpose of the framed-ip-address. Or, if you do not have a pool available, the second session will not log in, but if that is your goal you might as well configure that specifically and discreetly with the simultaneous logins option.

The LDAP Attribute Map is configured the same way as the group mapping described above. The Customer Name

is mapped to the Cisco name

This time, however, we are not going to create Map Values. What would be the purpose of having to define every IP address that we assign in an LDAP profile to the same IP address in the mapping? Seems like it would be kind of labor intensive, and not a very good way to do things. Without a mapping defined the ASA will accept the original value from the LDAP server and apply it to the Cisco Name, so it is essentially a 1-to-1 mapping of the original value.

To apply the IP address mapping to sessions the mapping must first be applied to the AAA server, as described earlier. You will note that only one LDAP Attribute Map can be applied to each server. In our example we can create a map that contains both the group mapping and the framed-ip-address mapping.

One additional step is necessary for the framed-ip-address, though.

Address assignment is a function of the Connection Profile. So far we have spent time talking about Group Policies. The profile is the container for the group policy. The screen-shot below shows the Client Addressing configuration for assigning an IP address from the AAA server:

Note: Framed IP addresses in LDAP are affected by a bug in versions prior to 8.0(3)6 which does not allow for the first bit of an IP address to be set. This means that framed IP addresses above 127.x.x.x will not work. The 8.0(3)6 interim release of ASA code is available for download from CCO, so this bug can be avoided. Another option is to choose addresses that begin with a value lower than 127, such as using the 10.x.x.x range.

LDAP Attribute Maps and SecureAuth

LDAP Attribute Maps are a great way to extend the value of the SSL VPN to your users and customers. Each group can be presented with the specific resources and level of access they require, without a lot of additional administration. Since all of the user and group attributes are maintained in a single central repository, the LDAP (in this case AD) database multiple database entries do not have to be managed for each user.

SecureAuth, MultiFactor Corp's premier certificate enrollment and distribution product, integrates tightly with the Cisco ASA SSL VPN, complimenting the traditional values of SSL VPN; ease of use, lower total cost of ownership and reduced maintenance and administration. SecureAuth, in our example, would leverage the same backend LDAP database, and once installed requires little or no maintenance.

Additionally, the SecureAuth integration makes use of certificate to Connection Profile Mappings. This means that a base set of access rule can be created in a Group Policy, and the access policy assigned to the user sessionan be built up on a per-group basis through the use of LDAP Attribute Maps leveraging AD group membership.

Other references:

Joe Harris has a command line guide at

Copyright 2008. MultiFactor Corporation. All Rights Reserved.
SEO Services & Blog Design by