我有一台 Cisco ASA 5505 连接到 Active Directory 服务器进行 VPN 身份验证。通常我们会将其限制到特定的 OU,但在这种情况下,需要访问的用户分布在多个 OU 中。因此,我想使用一个组来指定哪些用户具有远程访问权限。我已经创建了该组并添加了用户,但我不知道如何拒绝不在该组中的用户。
现在,如果有人连接,如果他们属于该组,则会为他们分配正确的组策略“companynamera”,因此 LDAP 映射正在工作。但是,不属于该组的用户仍可顺利进行身份验证,并且他们的组策略将成为其第一个组的 LDAP 路径,即 CN=Domain Users,CN=Users,DC=example,DC=com,然后仍允许访问。如何添加过滤器,以便我可以映射所有不是“companynamera” 无法访问?
我正在使用的配置(删除了 ACL 和映射等一些内容,因为它们在这里只是噪音):
gateway# show run
: Saved
:
ASA Version 8.2(1)
!
hostname gateway
domain-name corp.company-name.com
enable password gDZcqZ.aUC9ML0jK encrypted
passwd gDZcqZ.aUC9ML0jK encrypted
names
name 192.168.0.2 dc5 description FTP Server
name 192.168.0.5 dc2 description Everything server
name 192.168.0.6 dc4 description File Server
name 192.168.0.7 ts1 description Light Use Terminal Server
name 192.168.0.8 ts2 description Heavy Use Terminal Server
name 4.4.4.82 primary-frontier
name 5.5.5.26 primary-eschelon
name 172.21.18.5 dmz1 description Kerio Mail Server and FTP Server
name 4.4.4.84 ts-frontier
name 4.4.4.85 vpn-frontier
name 5.5.5.28 ts-eschelon
name 5.5.5.29 vpn-eschelon
name 5.5.5.27 email-eschelon
name 4.4.4.83 guest-frontier
name 4.4.4.86 email-frontier
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
description Frontier FiOS
nameif outside
security-level 0
ip address primary-frontier 255.255.255.0
!
interface Vlan3
description Eschelon T1
nameif backup
security-level 0
ip address primary-eschelon 255.255.255.248
!
interface Vlan4
nameif dmz
security-level 50
ip address 172.21.18.254 255.255.255.0
!
interface Vlan5
nameif guest
security-level 25
ip address 172.21.19.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server dc2
domain-name corp.company-name.com
same-security-traffic permit intra-interface
access-list companyname_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list companyname_splitTunnelAcl standard permit 172.21.18.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.18.0 255.255.255.0
access-list bypassingnat_dmz extended permit ip 172.21.18.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 12288
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu dmz 1500
mtu guest 1500
ip local pool VPNpool 172.21.20.50-172.21.20.59 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 email-frontier
global (outside) 3 guest-frontier
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 dc5 255.255.255.255
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list bypassingnat_dmz
nat (dmz) 2 dmz1 255.255.255.255
nat (dmz) 1 172.21.18.0 255.255.255.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 4.4.4.1 1 track 1
route backup 0.0.0.0 0.0.0.0 5.5.5.25 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map RemoteAccessMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RemoteAccess,CN=Users,DC=corp,DC=company-name,DC=com companynamera
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host dc2
ldap-base-dn dc=corp,dc=company-name,dc=com
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
server-type microsoft
aaa-server ADRemoteAccess protocol ldap
aaa-server ADRemoteAccess (inside) host dc2
ldap-base-dn dc=corp,dc=company-name,dc=com
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
server-type microsoft
ldap-attribute-map RemoteAccessMap
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.4.4.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy companynamera internal
group-policy companynamera attributes
wins-server value 192.168.0.5
dns-server value 192.168.0.5
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname_splitTunnelAcl
default-domain value corp.company-name.com
split-dns value corp.company-name.com
group-policy companyname internal
group-policy companyname attributes
wins-server value 192.168.0.5
dns-server value 192.168.0.5
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname_splitTunnelAcl
default-domain value corp.company-name.com
split-dns value corp.company-name.com
username admin password IhpSqtN210ZsNaH. encrypted privilege 15
tunnel-group companyname type remote-access
tunnel-group companyname general-attributes
address-pool VPNpool
authentication-server-group ActiveDirectory LOCAL
default-group-policy companyname
tunnel-group companyname ipsec-attributes
pre-shared-key *
tunnel-group companynamera type remote-access
tunnel-group companynamera general-attributes
address-pool VPNpool
authentication-server-group ADRemoteAccess LOCAL
default-group-policy companynamera
tunnel-group companynamera ipsec-attributes
pre-shared-key *
!
class-map type inspect ftp match-all ftp-inspection-map
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect ftp ftp-inspection-map
parameters
class ftp-inspection-map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect esmtp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:487525494a81c8176046fec475d17efe
: end
gateway#
非常感谢!
答案1
使用 DAP:http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
我在这里没有引用任何配置,因为必须在 ASDM 中配置 DAP。但是,上面的文档准确地描述了您需要的内容。查找“ldap.memberOf”设置。