19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

Lessons in Tech

ASA Local Authentication Using

Active Directory

APRIL 20, 2018

I had a heck of a time figuring out how to set this up. Cisco’s
documentation related to LDAP authentication is all over the place
and there isn’t one article that describes just this. If you want to use
Microsoft Active Directory to authenticate users locally logging in
to the ASA and give them privileged exec access based on a Group,
here are the steps.

These steps assume you are using ASDM, but I have a ached the
CLI equivalents as well.

Prep

Create an AD group that will be used to define access to the

ASA. I.e. ASA Admins.
Create a service account (password not expiring unless you
want to change it in AD and your ASA every month) that will be
used by the ASA to bind with AD.

Do it

1. Log in to the ASA with ASDM (CLI steps below)

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 1/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

2. Go to Device Management > Users/AAA > AAA Server Groups

3. Add a AAA Server Group by clicking Add on the top-right

Enter a name for the Server Group

Pick LDAP as the protocol
Enter 1 for the Realm-id
Change any other se ings as you see fit. The defaults will work.

4. Left-click the Server Group you just created.

5. Click Add on the window half way down.

Pick the Interface that the ASA will be able to reach your DC’s
through
Type in the IP address of your domain controller
Pick Microsoft as the Server Type
The Base DN is your domain suffix, enter that in the format
below
Depending on the hierarchy of your domain, the scope can be
one level or all levels beneath the base DN is required. If you’re
not sure, all levels beneath base DN will work, it will just be
slower in large domains.
https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 2/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

The Naming A ribute should be samaccountname

The Login DN is the LDAP value of the service account the ASA
will use to bind to LDAP.
For now the LDAP a ribute map drop-box is empty. We will
create that in the next step.

6. Expand LDAP A ribute Map and click Add. This is where the
magic happens.

Name the LDAP A ribute Map

Set the LDAP A ribute Name to memberOf
Pick IETF-Radius-Service-Type as the A ribute Name
Click Add >>

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 3/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

7. Click the Mapping of A ribute Value tab

Enter the “Folder” in your LDAP directory that contains the

users that will be authenticated against the ASA. Typically it
will be in the format below (CN=Users,
DC=Mydomain,DC=com).
Set the Cisco A ribute Value to 6
Click Add >>

The entry should look like this at the end. Notice the =6 appended
to the end.

Note on the Attribute Value:

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 4/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

The Cisco A ribute Value is a Radius association that we will use

to map a User Group to a privilege level on the ASA. I opened a
ticket with Cisco to try to decipher what these correlate to in terms
of privilege values (1-15) and wasn’t able to get anything clear back.

It appears it is something unique to Radius policies that can

generically be applied to LDAP/Local policies to expand the
functionality of the ASA.

Cisco doesn’t have documentation that makes it clear. i.e. IETF-

Radius-Service-Type 6 = ASA Privilege 15. The image below is the
best I could find from Cisco. I have only tested 5 and 6, but test
different values if you have varying requirements–your results may
vary.

At this point you have an LDAP a ribute map. Only one can be
applied to a server group at a time. So if you have multiple groups
to check, enter them as additional lines in the A ribute Value
Mapping section.

8. Highlight the Server group with the IP of the domain controller,

and click Edit

9. For the LDAP A ribute Map, pick the Mapping you just created
(Group-Check)

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 5/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

10. Click Apply in ASDM

CLI Equivalent

ldap attribute-map Group-Check

map-name memberOf IETF-Radius-Service-Type

map-value memberOf "CN=ASA Admins,CN=Users,D

aaa-server LDAP (MGMT) host 192.168.10.3

ldap-base-dn DC=MyDomain,DC=Com

ldap-login-dn CN=BindAcct,OU=Users,DC=MyDoma

ldap-login-password **********

ldap-naming-attribute samaccountname

server-type microsoft

ldap-attribute-map Group-Check

exit

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 6/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

What we have done was simply to create a Server Group and a

LDAP Mapping. We need to assign it to a connection type to
actually use it.

1. Go to Device Management > Users/AAA > AAA Access

What we need to do is assign this group to a connection type. I

would advise to test one type (i.e. SSH) using LDAP while retaining
another (i.e. ASDM) as Local to make sure you have the LDAP
properties correct and don’t lose access.

Since we are using ASDM, first enable SSH authentication with

LDAP. Enabling this way will simply give every user in the domain
access to the ASA, which we obviously don’t want, but just use this
as an initial test. This is how that looks:

2. Click Apply

CLI Equivalent

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 7/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

aaa authentication http console LOCAL

no aaa authentication ssh console LOCAL

aaa authentication ssh console LDAP LOCAL

If you’re able to log-in with AD credentials, now we want to only

give members of the IETF-Radius group mapping access to
privileged mode. If not, check the LDAP strings, something is most
likely wrong.

1. Check the Enable box under Require authentication... and pick

LDAP from the drop-down.

Note on LOCAL when group fails:

The ASA won’t warn you from the login-prompt if AD is not

working (use local when group fails)—be aware that if you know
the DC is down and your AD account is the same as local, enter
local ASA password. It would be a good idea to have an ‘admin’
account unique to the ASA that will work when the DC’s are down.

2. Secondly you have to click the Enable box under the

Authorization tab for ‘Perform authorization for exec shell access‘.
Optionally pick the ‘Allow privileged users to enter into EXEC mode on
login‘ to be dropped into privileged exec mode on login if you have
access.

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 8/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

CLI Equivalent:

aaa authentication enable console LDAP LOCAL

aaa authentication http console LOCAL

no aaa authentication ssh console LOCAL

aaa authentication ssh console LDAP LOCAL

aaa authorization exec authentication-server

If you are able to login and run privileged commands ASDM

connections can be applied to the LDAP authentication type.

1. Go back to the Authentication tab and change HTTP/ASDM to

LDAP.
2. If you want to protect the serial terminal you can optionally do
that

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 9/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech

Validate everything works by logging in to SSH/ASDM with a user

that is in the ‘ASA Admins‘ group and one that is not.
ADVERTISEMENT

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 10/11
19/11/2018 ASA Local Authentication Using Active Directory | Lessons in Tech
Advertisements

REPORT THIS AD

REPORT THIS AD
Cisco, Cisco ASA, Security, Windows
AAA , ACCESS , ACTIVE DIRECTORY ,
ASDM , AUTHENTICATION , CISCO , CISCO
ASA , CONSOLE ACCESS , FIREWALL ,
LDAP , MICROSOFT , MICROSOFT ACTIVE
DIRECTORY , SECURITY , SSH

BLOG AT WORDPRESS.COM.

REPORT THIS AD

https://lessonsintech.wordpress.com/2018/04/20/asa-auth-ad/ 11/11