LDAP authorization on the Cisco ISR with the verification of the user group in AD

Translated by Google Translate and corrected by me, may have some mistakes…

There was a need to authorize users under domain accounts when connecting to Cisco Easy Vpn. The following method should work on Cisco ISR routers, such as the 1800x, 1900x.

I will not detail the configuration of the Easy Vpn itself, only the authorization for LDAP will be below.

Because I use ldap to authorize Easy Vpn connections, then in aaa profile I add this authorization method. I also left the opportunity to use local accounts.

aaa authentication login EVPN local group ldap
aaa authorization network EVPN local group ldap

In the isakmp profile for Easy Vpn was attached isakmp authorization and client authentication list

crypto isakmp profile EVPN_USERS
client authentication list EVPN
isakmp authorization list EVPN

For ldap connection work, you will need to specify below the name and password of the account, which has admin rights in the domain. I recommend to use dedicated account for this case.

In order to understand the config below, let’s imagine that:
Our domain name — mydomain.example.com
The name of the account with the administrator rights — DomainAdmin, and it’s password — DomainPass
The name of the AD group whose users are allowed to connect to Easy Vpn — EVPN
Username of the user who is in the group — i.ivanov

Configure the connection to the ldap server, because the connection works without encryption and on the standard port 389, then these parameters are simply not in the config

# Create a connection to the controller
ldap server DC
# ip address of the controller with AD 
# timeout of connection to the controller in case of connection failure
timeout retransmit 20
# Specify the admin account with the password, after entering the password will be encrypted in password 7
bind authenticate root-dn CN=DomainAdmin,CN=Users,DC=mydomain,DC=example,DC=com password DomainPass
# Specify the root of the domain to search for a user
base-dn DC=mydomain,DC=example,DC=com
# A filter that allows authorization only for users in the EVPN group
search-filter user-object-type user)(memberOf=cn=EVPN,cn=Users,dc=mydomain,dc=example,dc=com

On the filter, we will dwell in more detail — there are no typos in the syntax, everything just as it should be, this is a kind of hack, because cisco itself will complete the necessary pieces of syntax in the query for ldap.

So, in debugging, this filter looks like:


By bold I select exactly the piece that we inserted into the filter. The rest of the filter is finished by cisco.

Apparently, this filter was laid down initially only for changing the objectclass from the user to something else. But as you can see, if you want, you can put almost any expression here.

As a result, with this configuration, only users in the EVPN group can connect to Easy Vpn.


Добавить комментарий

Ваш e-mail не будет опубликован.