Tuesday, May 7, 2013

something about ASA DAP

today, I tested the updated CSD, anyconnect client and hostscan on a test box
(version  anyconenct client 3.1.03103  csd_3.6.6234-k9.pkg hostscan_3.1.03103-k9.pkg)

when tested with my own account, VPN can connect no problem, but when I used a different account, the connect been denied, (my own account have setting can bypass the CSD).
first thing I suspected the new CSD image or certificate, since my test box does not have a valid certificate, the free 90 days expired. but one of my account is working, they belong to different AD group supposed should using different DAP.

conclusion: when a connection meet requirements of more than one DAP, the terminate one will take priority than the continue one, even the continue one has high priority setting.

- No comments:

Monday, May 6, 2013

Cisco ASA management session use LDAP

we talked about ldap for VPN remote access a lot before, now it is time to discuss how to use LDAP for asa management purpose:

the following is the procedure via ASDM



  1.  configure the ldap attibute map
    please note the attribute name is case sensitive, you can open ldap debug to find out the how the name and value looks like
    ldap attribute-map TEST2
      map-name  memberOf IETF-Radius-Service-Type
      map-value memberOf CN=IT,OU=Firewall,DC=test,DC=int 6


    -Service-Type 6 (admin)-Allows full access to any services specified by the aaa authentication console commands.

    -Service-Type 7 (nas-prompt)-Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.



    -Service-Type 5 (remote-access)-Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their remote-access sessions.
  2. setup LDAP server ( same as for VPN access)
  3. config aaa access
    select the ldap from server group
    (cli: aaa authentication http console ldapserver local)
     select enable perform authorization for exec shell access
    (cli: aaa authorization exec authentication-server)





- No comments:
Subscribe to: Posts (Atom)

How to use Telus Actionec T3200M as a wireless Access point

when you install Telus Internet, they will offer you a modem + router + wireless device Actionec T3200M, a lot of users still want to use th...