Solved: Duo Access Gateway SAML plus LDAP for auto assigning tunnel groups in Cisco ASA

megahurtz · ‎10-04-2021

I am currently deploying SAML Authentication with an onsite Duo Access Gateway server. Everything is working on the SAML Authentication side. However, I want the Cisco ASA to check the user name for the Active Directory group (via LDAP) and then assign the appropriate tunnel group in the ASA.

I had Radius authentication set up prior so that the user would login to the VPN, radius would grab their account group name (example: Sales) and then the ASA would assign the appropriate tunnel group.

It seems like with SAML doing the authentication, I cannot get LDAP to send the user group and make the ASA assign a tunnel group. How can I have tunnel groups assigned on the ASA based on the authentication user(group) like I did for Radius but continue using SAML?

The reason I do not want to do Duo with Radius deploy is because I need my users to be able to self enroll into Duo and manage their own devices. The Radius path is a poor experience for end users and a headache for IT.

megahurtz · ‎10-05-2021

I figured it out. You have to tell the ASA to strip the realm from the username before passing it to the AAA LDAP server for secondary Authorization lookup. Once you enable this option, the LDAP attributes are pulled into the ASA properly and then you can use Dynamic Access Lists against those attributes.

View solution in original post

colin_medfisch · ‎10-04-2021

Hey @InternetsNinja!

You can do this by configuring the Authorization AAA server group setting for the connection profile to point at AD.

Here is a video from Cisco on how to do this: How to configure ASA for AnyConnect RA VPN using SAML authentication with DUO and LDAP authorization - YouTube

I would also highly recommend using Duo SSO (and its official ASA integration) over the legacy Duo Access Gateway for Single Sign-On!

megahurtz · ‎10-05-2021

I want to utilize the Anyconnect App and prompt self enrollment so the LDAP Authorization is the best choice for us.

I have set up the LDAP Authorization part but it keeps failing to pull the user groups in the Dynamic Access Policy. No matter what I’ve done I can’t “get user groups” in Cisco ASDM as it keeps saying my AD server group is not an Active Directory Server Group, but it is.

I want to use ldap.memberOf = VPN Users and then apply a dynamic access policy. But I keep getting search result failed or target doesnt exist. And it keeps searching for “.com” rather than “.co”. I want to use the domain user name which is a .co name and not a .com name.

FPR2110-ASA-SV3# debug ldap 255
debug ldap enabled at level 255
FPR2110-ASA-SV3#
[8657] Session Start
[8657] New request Session, context 0x000000557a9a0700, reqType = Other
[8657] Fiber started
[8657] Creating LDAP context with uri=ldap://10.1.100.171:389
[8657] Connect to LDAP server: ldap://10.1.100.171:389, status = Successful
[8657] LDAP server 10.1.100.171 is Active directory
[8657] defaultNamingContext: value = DC=omitted,DC=co
[8657] ■■■■■■■■■■■■■■■■■■■■sms: value = GSSAPI
[8657] ■■■■■■■■■■■■■■■■■■■■sms: value = GSS-SPNEGO
[8657] ■■■■■■■■■■■■■■■■■■■■sms: value = EXTERNAL
[8657] ■■■■■■■■■■■■■■■■■■■■sms: value = DIGEST-MD5
[8657] ■■■■■■■■■■■■■■■■■■■■: value = 3
[8657] ■■■■■■■■■■■■■■■■■■■■: value = 2
[8657] Binding as omitted\user
[8657] Performing Simple authentication for omitted\user to 10.1.100.171
[8657] LDAP Search:
Base DN = [dc=omitted,dc=co]
Filter = [sAMAccountName=user@omitted.com]
Scope = [SUBTREE]
[8657] Search result parsing returned failure status
[8657] Fiber exit Tx=276 bytes Rx=933 bytes, status=-1
[8657] Session End

8629] Session Start
[8629] New request Session, context 0x000000557a9a0700, reqType = Other
[8629] Fiber started
[8629] Creating LDAP context with uri=ldap://10.1.100.171:389
[8629] Connect to LDAP server: ldap://10.1.100.171:389, status = Successful
[8629] LDAP server 10.1.100.171 is Active directory
[8629] defaultNamingContext: value = DC=omitted,DC=co
[8629] ■■■■■■■■■■■■■■■■■■■■sms: value = GSSAPI
[8629] ■■■■■■■■■■■■■■■■■■■■sms: value = GSS-SPNEGO
[8629] ■■■■■■■■■■■■■■■■■■■■sms: value = EXTERNAL
[8629] ■■■■■■■■■■■■■■■■■■■■sms: value = DIGEST-MD5
[8629] ■■■■■■■■■■■■■■■■■■■■: value = 3
[8629] ■■■■■■■■■■■■■■■■■■■■: value = 2
[8629] Binding as omitted\user
[8629] Performing Simple authentication for omitted\user to 10.1.100.171
[8629] LDAP Search:
Base DN = [cn=IT,cn=AD User Accounts,DC=bidtellect,DC=co]
Filter = [sAMAccountName=user@omitted.com]
Scope = [ONE LEVEL]
[8629] Request for user@omitted.com returned code (32) No such object
[8629] Fiber exit Tx=302 bytes Rx=805 bytes, status=-1
[8629] Session End

Depending on the config I either get FAIL or OBJECT DOESNT EXIST

I’m missing something somewhere.

megahurtz · ‎10-05-2021

I figured it out. You have to tell the ASA to strip the realm from the username before passing it to the AAA LDAP server for secondary Authorization lookup. Once you enable this option, the LDAP attributes are pulled into the ASA properly and then you can use Dynamic Access Lists against those attributes.