思科ASA配置sslvpn,与域结合,通过指定的群组授权用户拨入
本帖最后由 shi351953026 于 2022-7-12 10:15 编辑实验需求
sslvpn拨入,使用网域特定群组验证,属于群组中的网域用户,可以登入,否则拒绝
网络拓扑
基本设定
定义设备主机名
hostname ASA5510
创建用户及设定密码
username admin password P@ssW0rd privilege 15
enable password P@ssW0rd
配置接口
外网接口地址
int e0
nameif outside
ip add 100.1.1.251 255.255.255.0
no sh
内网接口地址
int e1
nameif inside
ip add 10.255.101.251 255.255.255.0
no sh
设定默认路由及内网路由
route outside 0.0.0.0 0.0.0.0 100.1.1.1
route inside 10.255.0.0 255.255.0.0 10.255.101.254
定义内部网络
object network lan_inside
subnet 10.255.0.0 255.255.0.0
配置NAT
nat (inside,outside) source dynamic lan_inside interface
配置设定sslvpn用户拨入获取的IP地址池
ip local pool PL_sslvpn10.255.201.101-10.255.202.150 mask 255.255.255.0
定义sslvpn网络
object network lan_sslvpn
subnet 10.255.201.0 255.255.255.0
配置隧道分离
access-list SP_sslvpn extended permit ip 10.255.0.0 255.255.0.0 10.255.202.0 255.255.255.0
配置感兴趣流
注:防火墙nat必在感兴趣流后面,否则会不通,先no掉,再配置一次
no nat (inside,outside) source dynamic lan_inside interface
nat (inside,outside) sourcestatic lan_inside lan_inside destination static lan_sslvpn lan_sslvpn
nat (inside,outside) source dynamic lan_inside interface
配置webvpn
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ciscoasa(config-webvpn)# anyconnect-essentials
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.3.0185-k9.pkg
ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config-webvpn)# tunnel-group-list enable
配置aaa服务器,服务器为域控,使用域用户
aaa-server AAA_sslvpn protocol ldap
aaa-server AAA_sslvpn(inside) host 10.255.100.200
ldap-base-dn dc=shfvip,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password P@ssW0rd
ldap-login-dn cn=sysasa,OU=Groups,OU=CN,dc=shfvip,dc=net
server-type microsoft
测试aaa服务器连通性
ASA# test aaa-server authentication AAA_sslvpn host 10.255.100.200 username sysasa password P@ssW0rd
测试成功反回的信息
INFO: Authentication Successful
配置两个Group-policy,调用地址池和隧道分割列表
group-policy GP_noaccess internal
group-policy GP_noaccess attributes
vpn-simultaneous-logins 0
group-policy GP_sslvpn internal
group-policy GP_sslvpn attributes
vpn-simultaneous-logins 100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SP_sslvpn
default-domain value shfvip.net
配置Tunnel-group
tunnel-group TG_sslvpn type remote-access
tunnel-group TG_sslvpn general-attributes
address-pool PL_sslvpn
authentication-server-group AAA_sslvpn
default-group-policy GP_noaccess
tunnel-group TG_sslvpn webvpn-attributes
group-alias SSL-VPNenable
配置Attribute map
ldap attribute-map MAP_sslvpn
map-namememberof Group-Policy
map-value memberof cn=sslvpn,ou=groups,ou=cn,dc=shfvip,dc=net GP_sslvpn
调用Attribute map
aaa-server AAA_sslvpn (inside) host 10.255.100.200
ldap-attribute-map MAP_sslvpn
以上配置完成,用户无法拨入,提示login failed
=================================
开启debug ldap 255
Session Start
New request Session, context 0x7fe01db8, reqType = Authentication
Fiber started
Creating LDAP context with uri=ldap://10.255.100.200:389
Connect to LDAP server: ldap://10.255.100.200:389, status = Successful
supportedLDAPVersion: value = 3
supportedLDAPVersion: value = 2
Binding as sysasa
Performing Simple authentication for sysasa to 10.255.100.200
LDAP Search:
Base DN =
Filter=
Scope =
User DN =
Talking to Active Directory server 10.255.100.200
Reading password policy for ssl1, dn:CN=ssl1,OU=Groups,OU=CN,DC=shfvip,DC=net
Read bad password count 0
Binding as ssl1
Performing Simple authentication for ssl1 to 10.255.100.200
Processing LDAP response for user ssl1
Message (ssl1):
Authentication successful for ssl1 to 10.255.100.200
Retrieved User Attributes:
objectClass: value = top
objectClass: value = person
objectClass: value = organizationalPerson
objectClass: value = user
cn: value = ssl1
sn: value = ssl1
distinguishedName: value = CN=ssl1,OU=Groups,OU=CN,DC=shfvip,DC=net
instanceType: value = 4
whenCreated: value = 20220420181102.0Z
whenChanged: value = 20220420181408.0Z
displayName: value = ssl1
uSNCreated: value = 25109
memberOf: value = CN=sslvpn,OU=Groups,OU=CN,DC=shfvip,DC=net
uSNChanged: value = 25118
name: value = ssl1
objectGUID: value = ...b..yC...B.r..
userAccountControl: value = 512
badPwdCount: value = 0
codePage: value = 0
countryCode: value = 0
badPasswordTime: value = 0
lastLogoff: value = 0
lastLogon: value = 0
pwdLastSet: value = 132949518622113601
primaryGroupID: value = 513
objectSid: value = ......................z.Z...
accountExpires: value = 9223372036854775807
logonCount: value = 0
sAMAccountName: value = ssl1
sAMAccountType: value = 805306368
userPrincipalName: value = ssl1@shfvip.net
objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=shfvip,DC=net
dSCorePropagationData: value = 16010101000000.0Z
lastLogonTimestamp: value = 132949520482453896
Fiber exit Tx=531 bytes Rx=2553 bytes, status=1
Session End
附截图
AD网络
用户群组
不知道是那里的问题,网上也搜索了很多资料,关键点都是这些,不使用群组授权指定的用户拨入,默认所有域用户可以登录,这个是可以实现的!
配置Tunnel-group
default-group-policy shfvip LOCAL
首选ad认证,ad不可达,本地认证 Good~good ldap-attribute-map sslvpn 调用了一个不存在的attribute-map? 天边那片猫 发表于 2022-7-1 12:37
ldap-attribute-map sslvpn 调用了一个不存在的attribute-map?
我修改了配置,attribute-map 调用是存在的
songwentao2002 发表于 2022-7-12 09:52
配置Tunnel-group
default-group-policy shfvip LOCAL
我要实现的就是通过网域来认证,不使用本地认证!
而且是网域中指定群组中的域用户,才能进行认证登录 已解决
ldap attribute-map MAP_sslvpn
map-namememberOf Group-Policy
map-value memberOf CN=sslvpn,OU=Groups,OU=CN,DC=shfvip,DC=net ssl-vpn
全部大写,才可以正常拨入
围观学习一下 已解决 ldap attribute-map MAP_sslvpn map-namememberOf Group-Policy map-value memberOf CN=sslvpn,OU=Groups,OU=CN,DC=shfvip,DC=net ssl-vpn全部大写,才可以正常拨入
页:
[1]