Здравствуйте уважаемые,
прошу оказать помощь в рещении задачи Cisco ASA + LDAP + Active Directory
извиняюсь если в конфиге есть ошибки, так как он "тестовый"
заранее всех благодарю за оказанную помощь!
далее по тексту:
1. при создании локального пользователя - соединение устанавливается через L2TP.
2. при добавлении authentication-server-group testing.loc в логах, что пользователь и пароль не найден!#sh ver
Cisco PIX Security Appliance Software Version 8.0(4)32
Device Manager Version 6.1(5)
Compiled on Tue 05-May-09 14:50 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"
fw0 up 22 hours 21 mins
Hardware: PIX-515, 192 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
#sh conf
PIX Version 8.0(4)32
!
hostname fw0
domain-name testing.loc
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 88.111.22.222 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1.1
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone SAMST 4
dns server-group DefaultDNS
domain-name testing.loc
object-group service service_port
service-object tcp eq 9443
service-object tcp eq www
service-object udp eq domain
service-object udp eq ntp
service-object tcp eq 465
service-object tcp eq 995
service-object tcp eq https
access-list inside_access extended permit object-group service_port any any
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test_pool 192.168.10.1-192.168.10.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_access
route outside 0.0.0.0 0.0.0.0 88.111.22.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map ldap_vpn
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VpnUsers,CN=Users,DC=testing,DC=loc 12345
dynamic-access-policy-record DfltAccessPolicy
aaa-server testing.loc protocol ldap
aaa-server testing.loc (inside) host 192.168.1.10
server-port 389
ldap-base-dn dc=testing,dc=loc
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=firewall,cn=users,dc=testing,dc=loc
server-type microsoft
ldap-attribute-map ldap_vpn
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 192.168.1.10 prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
password-storage disable
ip-comp enable
group-policy 12345 internal
group-policy 12345 attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool test_pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 12345 type remote-access
tunnel-group 12345 general-attributes
address-pool test_pool
authentication-server-group testing.loc
default-group-policy 12345
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2bb005b034c750d43f3927df860a7174
#test aaa-server authentication testing.loc host 192.168.1.10 username firewall password firewall0000
#Комманда выполняется нормально, пользователь firewall входит в группу "VpnUsers"
Fiber started
[208] Creating LDAP context with uri=ldap://192.168.1.10:389
[208] Connect to LDAP server: ldap://192.168.1.10:389, status = Successful
[208] supportedLDAPVersion: value = 2
[208] supportedLDAPVersion: value = 3
[208] Binding as firewall
[208] Performing Simple authentication for firewall to 192.168.1.10
[208] LDAP Search:
Base DN = [dc=testing,dc=loc]
Filter = [sAMAccountName=firewall]
Scope = [SUBTREE]
[208] User DN = [CN=firewall,CN=Users,DC=testing,DC=loc]
[208] Talking to Active Directory server 192.168.1.10
[208] Reading password policy for firewall, dn:CN=firewall,CN=Users,DC=testing,DC=loc
INFO[: A2uthent0i8cati]on Suc ceRssfeual
fw0 # bad password count 0
[208] Binding as firewall
[208] Performing Simple authentication for firewall to 192.168.1.10
[208] Processing LDAP response for user firewall
[208] Message (firewall):
[208] Authentication successful for firewall to 192.168.1.10
[208] Retrieved User Attributes:
[208] objectClass: value = top
[208] objectClass: value = person
[208] objectClass: value = organizationalPerson
[208] objectClass: value = user
[208] cn: value = firewall
[208] sn: value = firewall
[208] instanceType: value = 4
[208] whenCreated: value = 20150114084809.0Z
[208] displayName: value = firewall
[208] uSNCreated: value = 11861
[208] name: value = firewall
[208] objectGUID: value = ....7F.F..=q.#.`
[208] badPwdCount: value = 0
[208] codePage: value = 0
[208] countryCode: value = 0
[208] badPasswordTime: value = 0
[208] lastLogoff: value = 0
[208] lastLogon: value = 0
[208] primaryGroupID: value = 513
[208] objectSid: value = ..............g........E....
[208] accountExpires: value = 9223372036854775807
[208] logonCount: value = 0
[208] sAMAccountName: value = firewall
[208] sAMAccountType: value = 805306368
[208] userPrincipalName: value = firewall@testing.loc
[208] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=loc
[208] userAccountControl: value = 66048
[208] memberOf: value = CN=Administrators,CN=Builtin,DC=testing,DC=loc
[208] mapped to IETF-Radius-Class: value = CN=Administrators,CN=Builtin,DC=testing,DC=loc
[208] memberOf: value = CN=Domain Admins,CN=Users,DC=testing,DC=loc
[208] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=testing,DC=loc
[208] memberOf: value = CN=VpnUsers,CN=Users,DC=testing,DC=loc
[208] mapped to IETF-Radius-Class: value = 12345
[208] pwdLastSet: value = 130661134590000000
[208] whenChanged: value = 20150119035739.0Z
[208] lockoutTime: value = 0
[208] uSNChanged: value = 12436
[208] distinguishedName: value = CN=firewall,CN=Users,DC=testing,DC=loc
[208] Fiber exit Tx=516 bytes Rx=1744 bytes, status=1
[208] Session End
и ещё, что выдаёт при установки соединения:
[240] Session Start
[240] New request Session, context 0x4670360, reqType = Authentication
[240] Fiber started
[240] Failed: The username or password is blank
[240] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[240] Session End