Cisco ASA DAP rule and LDAP.memberOf attribute is not recognized

763 views Asked by At

I am in charge of setting up a Cisco ASA 5xxx firewall with an OpenLDAP server for authentication in VPN. Everything is working fine so far.

However, I am trying to check the "memberOf" property of the user to assess if he is able to connect to a connection profile tunnel. In fact, I have a few connection profiles and I want to prevent users to access every of them. Depending on the memberOf value, I want to allow or not the access to the tunnel for the user. So I started to use a DAP rule to check the memberOf ldap attribute of the user being authenticated. This memberOf is an overlay in my OpenLDAP server, and there are as many memberOf attributes.

I am able to filter a rule based on "ldap.uid" and deny the access depending on the user name. If I try to filter with "ldap.memberOf" it does not work anymore. It's like the cisco DAP rule does not recognize this specific attribute or it's value. I do not understand why :/. This attribute is of the form: "cn=myGroup,ou=Groups,dc=xxxx,dc=yyyy". I have literally copy/paste the value in my firewall DAP's rule.

I use ASDM for managing the firewall and I'm not familiar with the command line for it...

If someone has an idea to make it work with "memberOf", I would be very grateful :D

Thank you in advance

1

There are 1 answers

0
leo On

Ok I figured out the solution :

Since memberOf is considered as optional, it is not returned to the CISCO ASA's request. For example if I use the attribute "description" as the connection profile filter, it is returned to the ASA (as in ldapsearch) and it will work. This attribute description can be use multiple times and can be used as a quick fix. However, it is better to create a custom objectClass of the users, with a custom attributes, ensuring it's returned by the ldap (without option '+' of ldapsearch).

Maybe I am not clear in my answer as it is really specific. If one of you guys needs help on that I can help by detailing my answer :-)