Using Microsoft AD for ASA identity firewall features

Posted: July 25, 2014 in Cisco Security - Firewalls

First, must install a Cisco ad agent on windows server and have Microsoft AD up and running. Agent must be part or active directory.
On AD agent:

C:\cd IBF
C:\IBF\cd CLI
C:\IBF\cd CLI>adactrl.exe show running

C:\IBF\cd CLI>adacfg client create -name ASA02 -ip 172.16.10.1 -secret password

C:\IBF\cd CLI>adacfg client list
C:\IBF\cd CLI>adacfg client erase -name ACHILE-AD

C:\IBF\cd CLI>adacfg dc list
C:\IBF\cd CLI>adacfg dc erase -name AD-POC

On firewall, enter below commands:

object-group user FIREWALL
user cciesecblog\user1
user-group cciesecblog\\ccielab

access-list VLAN19_INBOUND extended permit ip any any
access-list VLAN19_INBOUND extended permit ip object-group-user FIREWALL any any

aaa-server IDENTITY protocol radius
ad-agent-mode

aaa-server IDENTITY (VLAN26) host 172.16.10.100
key password

aaa-server AD-SERVER protocol ldap

aaa-server AD-SERVER (VLAN26) host 172.16.10.200
ldap-base-dn dc=cciesecblog,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Summer2100!
ldap-login-dn cn=administrator,cn=Users,dc=cciesecblog,dc=com
server-type microsoft

user-identity domain cciesecblog aaa-server AD-SERVER
user-identity default-domain cciesecblog
user-identity action ad-agent-down disable-user-identity-rule
user-identity action domain-controller-down cciesecblog disable-user-identity-rule
user-identity inactive-user-timer minutes 30
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server IDENTITY

~~~~~~~~~~~~~~

ASA02-5510(config)# test aaa-server ad-agent IDENTITY
Server IP Address or name:
Server IP Address or name:
Server IP Address or name: 172.16.10.100
INFO: Attempting Ad-agent test to IP address <172.16.10.100> (timeout: 12 seconds)
INFO: Ad-agent Successful
ASA02-5510(config)#

ASA02-5510(config)# show user-identity ad-agent
Primary AD Agent:
Status                    up (registered)
Mode:                     full-download
IP address:               172.16.10.100
Authentication port:      udp/1645
Accounting port:          udp/1646
ASA listening port:       udp/3799
Interface:                VLAN26
Up time:                  39 secs
Average RTT:              0 msec

AD Domain Status:
Domain CCIESECBLOG:       up
ASA02-5510(config)#

ASA02-5510(config)# debug ldap 255
debug ldap  enabled at level 255

ASA02-5510(config)# logging console 7

ASA02-5510(config)# show user-identity ad-groups cciesecblog

[25] Session Start
[25] New request Session, context 0xac3d1014, reqType = Unknown
[25] Fiber started
[25] Creating LDAP context with uri=ldap://172.16.10.200:389
[25] Connect to LDAP server: ldap://172.16.10.200:389, status = Successful
[25] supportedLDAPVersion: value = 3
[25] supportedLDAPVersion: value = 2
[25] Binding as ldapuser
[25] Performing Simple authentication for ldapuser to 172.16.10.200
[25] Simple authentication for ldapuser returned code (49) Invalid credentials
[25] Failed to bind as administrator returned code (-1) Can’t contact LDAP server
[25] Fiber exit Tx=212 bytes Rx=608 bytes, status=-2
[25] Session End

ASA02-5510# sh user-identity ip-of-user user1
cciesecblog\136.1.27.150 (Login)
ASA02-5510#

ASA02-5510# show user-identity user active user cciesecblog\user1 list detail
cciesecblog\user1: 26 active conns; idle 0 mins
136.1.27.150: login 0 mins, idle 0 mins, 26 active conns
ASA02-5510#

ASA02-5510# sh conn user cciesecblog\user1
27 in use, 40 most used
UDP VLAN26 172.16.10.200:53 VLAN19 (cciesecblog\user1)136.1.27.150:1025, idle 0:00:00, bytes 220, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1083, idle 0:00:31, bytes 347, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1080, idle 0:00:37, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1075, idle 0:00:38, bytes 2804, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1064, idle 0:00:56, bytes 347, flags –
UDP VLAN26 172.16.10.200:138 VLAN19 (cciesecblog\user1)136.1.27.150:138, idle 0:00:56, bytes 177, flags –
UDP VLAN26 172.16.10.200:137 VLAN19 (cciesecblog\user1)136.1.27.150:137, idle 0:00:56, bytes 243, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1062, idle 0:01:06, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1060, idle 0:01:06, bytes 2763, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1059, idle 0:01:10, bytes 347, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1055, idle 0:01:11, bytes 2763, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1054, idle 0:01:11, bytes 2763, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1052, idle 0:01:11, bytes 2760, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1050, idle 0:01:11, bytes 402, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1048, idle 0:01:14, bytes 402, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1045, idle 0:01:19, bytes 397, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1044, idle 0:01:27, bytes 2807, flags –
UDP VLAN26 172.16.10.200:123 VLAN19 (cciesecblog\user1)136.1.27.150:123, idle 0:01:28, bytes 136, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1037, idle 0:01:31, bytes 2807, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1036, idle 0:01:31, bytes 2807, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1034, idle 0:01:31, bytes 421, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1027, idle 0:01:32, bytes 438, flags –
UDP VLAN26 172.16.10.200:88 VLAN19 (cciesecblog\user1)136.1.27.150:1120, idle 0:01:57, bytes 2807, flags –
UDP VLAN26 172.16.10.200:389 VLAN19 (cciesecblog\user1)136.1.27.150:1119, idle 0:02:00, bytes 347, flags –
TCP VLAN26 172.16.10.200:49155 VLAN19 (cciesecblog\user1) 136.1.27.150:1117, idle 0:02:02, bytes 638, flags UIO
ASA02-5510#

ASA02-5510# show user-identity ad-users cciesecblog filter user1

Domain:cciesecblog      AAA Server Group: AD-SERVER
User list retrieved successfully
Number of Active Directory Users: 1
dn: CN=user1,CN=Users,DC=cciesecblog,DC=com
sAMAccountName: user1

ASA02-5510#

ASA02-5510# sh user-identity ad-groups cciesecblog filter ccielab

Domain:cciesecblog      AAA Server Group: AD-SERVER
Group list retrieved successfully
Number of Active Directory Groups: 1
dn: CN=ccielab,CN=Users,DC=cciesecblog,DC=com
sAMAccountName: ccielab

ASA02-5510#

ASA02-5510# show user-identity ad-groups cciesecblog

Domain:cciesecblog      AAA Server Group: AD-SERVER
Group list retrieved successfully
Number of Active Directory Groups: 38
dn: CN=Administrators,CN=Builtin,DC=cciesecblog,DC=com
sAMAccountName: Administrators

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s