ASA-ldap.docx

ASA-LDAPASA的基本配置：ciscoasa(config)# inter e0/0ciscoasa(config-if)# ip add 100.1.1.254 255.255.255.0ciscoasa(config-if)# no shciscoasa(config-if)# nameif insideINFO: Security level for inside set to 100 by default.ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# inter e0/2ciscoasa(config-if)# ip add 192.168.2.254 255.255.255.0ciscoasa(config-if)# no shciscoasa(config-if)# nameif dmzINFO: Security level for dmz set to 0 by default.ciscoasa(config-if)# security-level 10ciscoasa(config-if)# ciscoasa(config)# telnet 0 0 inside 在防火墙上开启telnetciscoasa(config)# ciscoasa# ping 192.168.2.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msciscoasa# client(config)#inter f0/0client(config-if)#ip add 100.1.1.1 255.255.255.0client(config-if)#no shclient(config-if)#endclient#ping 100.1.1.254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.1.1.254, timeout is 2 seconds:.!Success rate is 80 percent (4/5), round-trip min/avg/max = 12/23/32 msclient#在AD上面创建一个用户。ciscoasa(config)# aaa-server win08 protocol ldap 指定防火墙与AD中使用的协议ciscoasa(config-aaa-server-group)# exitciscoasa(config)# aaa-server win08 (dmz) host 192.168.2.1 指定aaa服务器的地方ciscoasa(config-aaa-server-host)# ? AAA server configuration commands: exit Exit from aaa-server host configuration mode help Help for AAA server configuration commands ldap-attribute-map Specify the name of the LDAP attribute mapping table ldap-base-dn Specify the location to begin searching in the LDAP hierarchy ldap-login-dn Specify the DN to be used to bind to the LDAP server ldap-login-password Specify password to be used to bind to the LDAP server ldap-naming-attribute Specify the Relative Distinguished Name attribute that uniquely identifies an entry on the LDAP server ldap-over-ssl Specify if an SSL connection is needed to the LDAP server ldap-scope Specify the extent of the search in the LDAP hierarchy no Remove an item from aaa-server host configuration sasl-mechanism Specify which authentication mechanism(s) to use with the LDAP server server-port Specify the port number to be used for AAA operations server-type Specify the vendor of the LDAP server timeout Specify the maximum time to wait for response from configured serverciscoasa(config-aaa-server-host)# ldap-base-dn DC=zhenyi, DC=com 指定AD的域ciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# ldap-scope subtree 在AD中查询的范围ciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# ldap-naming-attribute sAMAccountName 查询账户的文件ciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# ldap-login-password 123 管理员密码ciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# ldap-login-dn cn=administrator, cn=users, dc=zhenyi, dc=com 写出管理员的FQDNciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# server-type microsoft 指定服务器的类型ciscoasa(config-aaa-server-host)# exitciscoasa(config)# ciscoasa(config)# aaa authentication telnet console win08 在AAA中调用telnetciscoasa(config)# ciscoasa(config)# ciscoasa(config)# endciscoasa# test aaa-server authentication win08 host 192.168.2.1 测试账户是否成功Username: test1Password: *INFO: Attempting Authentication test to IP address (timeout: 12 seconds)INFO: Authentication Successfulciscoasa# client#client#telnet 100.1.1.254 telnet到ASA上面去，测试成功。Trying 100.1.1.254 . OpenUser Access VerificationUsername: Username: test1Password: *Type help or ? for a list of available commands.ciscoasa ciscoasaciscoasa# debug ldap 255 dabug一下ldap的信息debug ldap enabled at level 255ciscoasa# 3 Session Start3 New request Session, context 0xd886ae30, reqType = 13 Fiber started3 Creating LDAP context with uri=ldap:/192.168.2.1:3893 Connect to LDAP server: ldap:/192.168.2.1:389, status = Successful3 defaultNamingContext: value = DC=zhenyi,DC=com3 supportedLDAPVersion: value = 33 supportedLDAPVersion: value = 23 supportedSASLMechanisms: value = GSSAPI3 supportedSASLMechanisms: value = GSS-SPNEGO3 supportedSASLMechanisms: value = EXTERNAL3 supportedSASLMechanisms: value = DIGEST-MD53 Binding as administrator3 Performing Simple authentication for administrator to 192.168.2.13 LDAP Search: Base DN = DC=zhenyi, DC=com Filter = sAMAccountName=test1 Scope = SUBTREE3 User DN = CN=test1,OU=p1,DC=zhenyi,DC=com3 Talking to Active Directory server 192.168.2.13 Reading password policy for test1, dn:CN=test1,OU=p1,DC=zhenyi,DC=com3 Read bad password count 03 Binding as user3 Performing Simple authentication for test1 to 192.168.2.13 Checking password policy for user test13 Binding as administrator3 Performing Simple authentication for administrator to 192.168.2.13 Authentication successful for test1 to 192.168.2.13 Retrieving user attributes from server 192.168.2.13 Retrieved Attributes:3 objectClass: value = top3 objectClass: value = person3 objectClass: value = organizationalPerson3 objectClass: value = user3 cn: value = test13 sn: value = test13 distinguishedName: value = CN=test1,OU=p1,DC=zhenyi,DC=com3 instanceType: value = 43 whenCreated: value = 20140603023258.0Z3 whenChanged: value = 20140603023258.0Z3 displayName: value = test13 uSNCreated: value = 140103 uSNChanged: value = 140153 name: value = test13 objectGUID: value = G.fEJ.3 userAccountControl: value = 660483 badPwdCount: value = 03 codePage: value = 03 countryCode: value = 03 badPasswordTime: value = 03 lastLogoff: value = 03 lastLogon: value = 03 pwdLastSet: value = 1304623637803900003 primaryGroupID: value = 5133 objectSid: value = .7.p.%.0.T.S.3 accountExpires: value =