|
|
500鸿鹄币
本帖最后由 shi351953026 于 2022-7-12 10:15 编辑
实验需求
sslvpn拨入,使用网域特定群组验证,属于群组中的网域用户,可以登入,否则拒绝
网络拓扑
拓扑图
基本设定
定义设备主机名
hostname ASA5510
创建用户及设定密码
username admin password P@ssW0rd privilege 15
enable password P@ssW0rd
配置接口
外网接口地址
int e0
nameif outside
ip add 100.1.1.251 255.255.255.0
no sh
内网接口地址
int e1
nameif inside
ip add 10.255.101.251 255.255.255.0
no sh
设定默认路由及内网路由
route outside 0.0.0.0 0.0.0.0 100.1.1.1
route inside 10.255.0.0 255.255.0.0 10.255.101.254
定义内部网络
object network lan_inside
subnet 10.255.0.0 255.255.0.0
配置NAT
nat (inside,outside) source dynamic lan_inside interface
配置设定sslvpn用户拨入获取的IP地址池
ip local pool PL_sslvpn 10.255.201.101-10.255.202.150 mask 255.255.255.0
定义sslvpn网络
object network lan_sslvpn
subnet 10.255.201.0 255.255.255.0
配置隧道分离
access-list SP_sslvpn extended permit ip 10.255.0.0 255.255.0.0 10.255.202.0 255.255.255.0
配置感兴趣流
注:防火墙nat必在感兴趣流后面,否则会不通,先no掉,再配置一次
no nat (inside,outside) source dynamic lan_inside interface
nat (inside,outside) sourcestatic lan_inside lan_inside destination static lan_sslvpn lan_sslvpn
nat (inside,outside) source dynamic lan_inside interface
配置webvpn
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ciscoasa(config-webvpn)# anyconnect-essentials
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.3.0185-k9.pkg
ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config-webvpn)# tunnel-group-list enable
配置aaa服务器,服务器为域控,使用域用户
aaa-server AAA_sslvpn protocol ldap
aaa-server AAA_sslvpn (inside) host 10.255.100.200
ldap-base-dn dc=shfvip,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password P@ssW0rd
ldap-login-dn cn=sysasa,OU=Groups,OU=CN,dc=shfvip,dc=net
server-type microsoft
测试aaa服务器连通性
ASA# test aaa-server authentication AAA_sslvpn host 10.255.100.200 username sysasa password P@ssW0rd
测试成功反回的信息
INFO: Authentication Successful
配置两个Group-policy,调用地址池和隧道分割列表
group-policy GP_noaccess internal
group-policy GP_noaccess attributes
vpn-simultaneous-logins 0
group-policy GP_sslvpn internal
group-policy GP_sslvpn attributes
vpn-simultaneous-logins 100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SP_sslvpn
default-domain value shfvip.net
配置Tunnel-group
tunnel-group TG_sslvpn type remote-access
tunnel-group TG_sslvpn general-attributes
address-pool PL_sslvpn
authentication-server-group AAA_sslvpn
default-group-policy GP_noaccess
tunnel-group TG_sslvpn webvpn-attributes
group-alias SSL-VPN enable
配置Attribute map
ldap attribute-map MAP_sslvpn
map-name memberof Group-Policy
map-value memberof cn=sslvpn,ou=groups,ou=cn,dc=shfvip,dc=net GP_sslvpn
调用Attribute map
aaa-server AAA_sslvpn (inside) host 10.255.100.200
ldap-attribute-map MAP_sslvpn
以上配置完成,用户无法拨入,提示login failed
=================================
开启debug ldap 255
[12] Session Start
[12] New request Session, context 0x7fe01db8, reqType = Authentication
[12] Fiber started
[12] Creating LDAP context with uri=ldap://10.255.100.200:389
[12] Connect to LDAP server: ldap://10.255.100.200:389, status = Successful
[12] supportedLDAPVersion: value = 3
[12] supportedLDAPVersion: value = 2
[12] Binding as sysasa
[12] Performing Simple authentication for sysasa to 10.255.100.200
[12] LDAP Search:
Base DN = [dc=shfvip,dc=net]
Filter = [sAMAccountName=ssl1]
Scope = [SUBTREE]
[12] User DN = [CN=ssl1,OU=Groups,OU=CN,DC=shfvip,DC=net]
[12] Talking to Active Directory server 10.255.100.200
[12] Reading password policy for ssl1, dn:CN=ssl1,OU=Groups,OU=CN,DC=shfvip,DC=net
[12] Read bad password count 0
[12] Binding as ssl1
[12] Performing Simple authentication for ssl1 to 10.255.100.200
[12] Processing LDAP response for user ssl1
[12] Message (ssl1):
[12] Authentication successful for ssl1 to 10.255.100.200
[12] Retrieved User Attributes:
[12] objectClass: value = top
[12] objectClass: value = person
[12] objectClass: value = organizationalPerson
[12] objectClass: value = user
[12] cn: value = ssl1
[12] sn: value = ssl1
[12] distinguishedName: value = CN=ssl1,OU=Groups,OU=CN,DC=shfvip,DC=net
[12] instanceType: value = 4
[12] whenCreated: value = 20220420181102.0Z
[12] whenChanged: value = 20220420181408.0Z
[12] displayName: value = ssl1
[12] uSNCreated: value = 25109
[12] memberOf: value = CN=sslvpn,OU=Groups,OU=CN,DC=shfvip,DC=net
[12] uSNChanged: value = 25118
[12] name: value = ssl1
[12] objectGUID: value = ...b..yC...B.r..
[12] userAccountControl: value = 512
[12] badPwdCount: value = 0
[12] codePage: value = 0
[12] countryCode: value = 0
[12] badPasswordTime: value = 0
[12] lastLogoff: value = 0
[12] lastLogon: value = 0
[12] pwdLastSet: value = 132949518622113601
[12] primaryGroupID: value = 513
[12] objectSid: value = ......................z.Z...
[12] accountExpires: value = 9223372036854775807
[12] logonCount: value = 0
[12] sAMAccountName: value = ssl1
[12] sAMAccountType: value = 805306368
[12] userPrincipalName: value = ssl1@shfvip.net
[12] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=shfvip,DC=net
[12] dSCorePropagationData: value = 16010101000000.0Z
[12] lastLogonTimestamp: value = 132949520482453896
[12] Fiber exit Tx=531 bytes Rx=2553 bytes, status=1
[12] Session End
附截图
AD网络
AD
用户群组
用户
不知道是那里的问题,网上也搜索了很多资料,关键点都是这些,不使用群组授权指定的用户拨入,默认所有域用户可以登录,这个是可以实现的!
|
最佳答案
查看完整内容
配置Tunnel-group
default-group-policy shfvip LOCAL
首选ad认证,ad不可达,本地认证
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2022-4-22 14:46:29
置顶卡
喧嚣卡
变色卡
千斤顶
楼主
