We have a pair of ASA 5510s (8.4.3) on which we use LDAP authentication for VPN and SSH access. On all of our Catalyst switches, which use RADIUS, we're able to set the shell:priv-lvl to 15 in the RADIUS config (2008R2 NPS). However, the best I can find on the ASAs, including in all the Cisco docs, is to abuse some other field, such as title or company, by sticking "15" into it and mapping that to the Privilege-Level RADIUS attribute in the AAA config. What I really want to do is assign anyone in an AD group L15 privs on the ASAs without having to type in a shared password. Anyone know if there's a way to do this?
Asked
Active
Viewed 2,471 times
4
-
2At first read, you want to eliminate the enable password? Is that right? If not, please clarify. I'm unsure what you mean by "shared password". – orbistechnology Oct 18 '12 at 00:37
-
Can you clarify your question, please? As it's written now, I don't understand what you're asking. – Martijn Heemels May 02 '13 at 13:34
-
Have you considered using TACACS instead of LDAP? TACACS will allow you to restrict level 15 membership to AD security group, provides AD integrated authentication, and does not require you to edit fields in AD. – user5870571 Aug 21 '16 at 21:37
1 Answers
1
If you do not mind using LDAP you can do exactly what you need without changing anything on the server infrastructure.
The way that we do ASA LDAP integration is to us the memberOf LDAP attribute to trigger a match on the value we want to edit. For cli AAA you can configure the following attribute map:
ldap attribute-map NetworkAdministrators
map-name memberOf IETF-Radius-Service-Type
map-value memberOf "CN=NetAdmins,OU=Security,DC=mycompany,DC=local" 6
This sets the service-type to 6 (admin) for any users that log in and match that group. Next define a new AAA Server Group to use just for device administration, you do not want to break your attribute-maps for vpn users.
aaa-server networkers-auth protocol ldap
Now create a server entry for your LDAP server, this can be to the same server that you use for VPN or other LDAP functions.
aaa-server networkers-auth (inside_interface) host 10.1.1.1
ldap-base-dn DC=netgain,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=asa2ldap,cn=users,DC=mycompany,DC=local
server-type microsoft
ldap-attribute-map NetworkAdministrators
The last line ldap-attribute-map NetworkAdministrators is what associates the ldap-map to your authentication server.
Finally lets bring all the work together and apply it to the ASA AAA section:
aaa authentication ssh console networkers-auth LOCAL
aaa authentication enable console networkers-auth LOCAL
aaa authorization exec authentication-server
So to test you can no ssh to your ASA and user your LDAP user, you should then be able to get logged in without issue. Now when you enter enable mode you will get prompted for a password. You will then use your unique LDAP password for authentication.
Please test this completely on your equipment, because if improperly configured on your ASA could let any LDAP user admin privileges on your ASA.
bluedogs
- 426
- 3
- 4