ASA Local Authentication Using Active Directory

I had a heck of a time figuring out how to set this up. Cisco’s documentation related to LDAP authentication is all over the place and there isn’t one article that describes just this. If you want to use Microsoft Active Directory to authenticate users locally logging in to the ASA and give them privileged exec access based on a Group, here are the steps.

These steps assume you are using ASDM, but I have attached the CLI equivalents as well.

Prep

  • Create a group in Active Directory that will be used to define access to the ASA. I.e. ASA Admins.
  • Create a service account (password not expiring unless you want to change it in AD and your ASA every month) that will be used by the ASA to bind with AD.

Do it

1. Log in to the ASA with ASDM (CLI steps below)

2. Go to Device Management > Users/AAA > AAA Server Groups

ad1

3. Add a AAA Server Group by clicking Add on the top-right

  • Enter a name for the Server Group
  • Pick LDAP as the protocol
  • Enter 1 for the Realm-id
  • Change any other settings as you see fit. The defaults will work.

ad2

4. Left-click the Server Group you just created.

ad3

5. Click Add on the window half way down.

  • Pick the Interface that the ASA will be able to reach your DC’s through
  • Type in the IP address of your domain controller
  • Pick Microsoft as the Server Type
  • The Base DN is your domain suffix, enter that in the format below
  • Depending on the hierarchy of your domain, the scope can be one level or all levels beneath the base DN is required. If you’re not sure, all levels beneath base DN works in most cases, it will just be slower in large domains.
  • The Naming Attribute should be samaccountname
  • The Login DN is the full LDAP attribute value of the service account the ASA will use to bind to LDAP.
    • Where CN is the users account name and OU/CN is the folder the account resides, i.e.: CN=BindAcct,OU=Users,DC=MyDomain,DC=Com
    • NOTE: For Microsoft, the default Users folder is designated by CN=Users, not OU=Users. If you have a separate folder where your service account is stored, it will be likely be designated by OU=Folder. Take a look at the troubleshooting info at the bottom of the article to find out for sure. .

For now the LDAP attribute map drop-box is empty. We will create that in the next step.

asaredo2

6. Expand LDAP Attribute Map and click Add. This is where the magic happens. We will designate the group we want to be admins on the ASA in this section.

  • Name the LDAP Attribute Map
  • Set the LDAP Attribute Name to memberOf
  • Pick IETF-Radius-Service-Type as the Attribute Name
  • Click Add >>

ad5

7. Click the Mapping of Attribute Value tab

  • Enter the “Group” in your LDAP directory that contains the users that you want to have administrative rights to the ASA. Typically it will be in the format below (CN=ASA Admins,CN=Users, DC=Mydomain,DC=com).
  • Set the Cisco Attribute Value to 6
  • Click Add >>

asaredo3

The entry should look like this at the end. Notice the =6 appended to the end.

asaredo4

Note on the Attribute Value:

The Cisco Attribute Value is a Radius association that we will use to map a User Group to a privilege level on the ASA. I opened a ticket with Cisco to try to decipher what these correlate to in terms of privilege values (1-15) and wasn’t able to get anything clear back.

It appears it is something unique to Radius policies that has generically been applied to LDAP/Local policies to expand the functionality of the ASA.

Cisco doesn’t have documentation that makes it clear. i.e. IETF-Radius-Service-Type 6 = ASA Privilege 15. The image below is the best I could find from Cisco. I have only had success with 1 (=1) and 6 (=15), but test different values if you have varying requirements–your results may vary.

ad7

At this point you have an LDAP attribute map. Only one can be applied to a server group at a time. So if you have multiple groups to check, enter them as additional lines in the Attribute Value Mapping section.

ad9

8. Highlight the Server group with the IP of the domain controller, and click Edit

9. For the LDAP Attribute Map, pick the Mapping you just created (Group-Check)

ad10

10. Click Apply in ASDM

CLI Equivalent

  ldap attribute-map Group-Check
    map-name memberOf IETF-Radius-Service-Type
    map-value memberOf "CN=ASA Admins,CN=Users,DC=MyDomain,DC=Com" 6
  aaa-server LDAP (MGMT) host 192.168.10.3
    ldap-base-dn DC=MyDomain,DC=Com
    ldap-login-dn CN=BindAcct,OU=Users,DC=MyDomain,DC=Com
    ldap-login-password **********
    ldap-naming-attribute samaccountname
    server-type microsoft
    ldap-attribute-map Group-Check
  exit

Make it Work

What we have done was simply to create a Server Group and a LDAP Mapping. We need to assign it to a connection type to actually use it.

1. Go to Device Management > Users/AAA > AAA Access

ad11

What we need to do is assign this group to a connection type. I would advise to test one type (i.e. SSH) using LDAP while retaining another (i.e. ASDM) as Local to make sure you have the LDAP properties correct and don’t lose access.

Since we are using ASDM, first enable SSH authentication with LDAP. Enabling this way will give every user in the domain access to the ASA, which we obviously don’t want, but just use this as an initial test. This is how that looks:

ad12

2. Click Apply

CLI Equivalent

aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
aaa authentication ssh console LDAP LOCAL

If you’re able to log-in with AD credentials, now we want to only give members of the IETF-Radius group mapping access to privileged mode. If not, check the LDAP strings (troubleshooting section on the bottom of this article), something is most likely wrong.

  1. Check the Enable box under Require authentication... and pick LDAP from the drop-down.

ad13

Note on LOCAL when group fails:

The ASA won’t warn you from the login-prompt if AD is not working (use local when group fails)—be aware that if you know the DC is down and your AD account is the same as local, enter local ASA password. It would be a good idea to have an ‘admin’ account unique to the ASA that will work when the DC’s are down.

2. Secondly you have to click the Enable box under the Authorization tab for ‘Perform authorization for exec shell access‘. Optionally pick the ‘Allow privileged users to enter into EXEC mode on login‘ to be dropped into privileged exec mode on login if you have access.

ad14

CLI Equivalent:

  aaa authentication enable console LDAP LOCAL
  aaa authentication http console LOCAL
  no aaa authentication ssh console LOCAL
  aaa authentication ssh console LDAP LOCAL
  aaa authorization exec authentication-server

If you are able to login and run privileged commands ASDM connections can be applied to the LDAP authentication type.

  1. Go back to the Authentication tab and change HTTP/ASDM to LDAP.
  2. If you want to protect the serial terminal you can optionally do that

ad15

Validate everything works by logging in to SSH/ASDM with a user that is in the ‘ASA Admins‘ group and one that is not.

Troubleshooting

  1. Open Active Directory Users and Computers
  2. Click View > Advanced Features to enable it
  3. Right-click any object (user, folder, OU) and click properties.
  4. Click Attribute Editor
  5. Look at the Attribute distinguishedName

This attribute is the format the ASA needs in the fields we covered above. Sometimes it will give you a hint as to something you typed wrong or wasn’t what you thought it was.

Advertisements

Adding Routes on Windows Servers

I’ll preface this post by saying I HATE host routes (not often that I capitalize words so you know how serious this is…) Lets face it, sometimes you need to add one to make an old and a new environment work, testing, VPN, B2B networks, etc. etc.

Windows has a basic, but in my opinion, a somewhat lousy command tool called “route” to add host routes. In it’s most basic form and under most circumstances you can use it right out of the box without any issues.

There are, however, those times when a server has three NIC’s, you need to add routes for different subnet masks, specific hosts, etc. That’s where things can get tricky.

I recently encountered an issue where even though we added a host route, it did not work. I knew something was wrong because when I captured traffic on the firewall that was the gateway for the route, I just didn’t see anything. Here’s the scenario; I am on the 10.100.1.0 subnet with 10.100.1.1 as my default server gateway. I need to talk to 10.100.2.50 but through a different gateway.

The first thing I did was add a one-to-one host route:

route add -p 10.100.2.50 mask 255.255.255.255 10.100.1.2

Ok, so that’s it right? Nope. By default it assigns interface 1 to the route, which is the loopback interface. When I tried to ping that 10.100.2.50 host I never saw the traffic.

I had to run a route print to see what my interfaces were numbered as:

C:\Users\me>route print
=============================================================
Interface List
 17...00 50 46 84 00 13 ......vmxnet3 Ethernet Adapter #2
 14...00 0c c9 0d d2 da ......vmxnet3 Ethernet Adapter #1
 1...........................Software Loopback Interface 1
=============================================================

Ok, so ethernet Adapter 1 is the one I want to use, which is interface 14, so I need to adjust my route statement.

route add -p 10.100.2.50 mask 255.255.255.255 10.100.1.2 if 14

Nice! My traffic works now.

Why do I think the route command is lousy? Well, because when I add a route for a /24 subnet, it works 90% of the time, but when I add a specific host (/32) route, I have to specify the interface. For example:

route add -p 10.100.2.0 mask 255.255.255.0 10.100.1.2

This command normally would work without specifying any interfaces. Why? I have no idea, maybe some Microsoft employees can fill me in.

The other issue I have is the inability to ping using a different gateway. I can ping using a different IP on that host with the ping -S command, but there is no way for me to test a ping without messing about with routes until I see what I need on my firewall. I would love it if I could ping -G and use a gateway IP to send traffic. Alas, I am getting off topic…

WSUS Trouble?

Sometimes when I build a new server it can take a few days for it to show up in WSUS or it may not even show up at all. If I’m having trouble I use this batch file. I only use this after the group policy settings have been created and the server is sitting in that OU. 99% of the time this fixes my issues with the server showing up in the WSUS console.

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
cls
gpupdate /force
@echo Triggering detection after resetting WSUS client identity
net stop wuauserv
net start wuauserv
wuauclt /resetauthorization /detectnow

Autodelete Files by Age

 

gadget

In my last post I covered how to back-up files based on age. This is a nice script to supplement it, this will auto-delete files based on their age. It’s an easy way to clean up old files from an automated task that saves files to disk. No third-party software needed!!

This example is for a Windows host, to delete a file older than 3 days.

1. Create a batch file with the following:

echo on
 rem Delete files older than 3 days
 FORFILES /P C:\Admin\Test\ /S /M 1*.bmp /D -3 /c " CMD /c del /q @FILE "

2. Modify the following flags:

/p = The path to search for the files you want to check the date of and remove
/s = Recurse subdirectories contained within the path specified using /p and check them as well
/m = The search mask to be used for the file type you want to check the date on (*.* being all files)
/d = The date to compare the files against. A standard date type can also be used (dd/mm/yyyy)
/c = The command to be used on a file that matches the /m and /d criteria
/q = Used within /c to instruct the del command to delete files quietly

3. Add the batch file to run with task scheduler based on your needs.