DOCX

ASA-ldap

By Francisco Palmer,2014-06-10 12:28
12 views 0
ASA-ldapasa,ldap,ASA,LDAP

    ASA-LDAP

ASA的基本配置?

    ciscoasa(config)# inter e0/0

    ciscoasa(config-if)# ip add 100.1.1.254 255.255.255.0 ciscoasa(config-if)# no sh

    ciscoasa(config-if)# nameif inside

    INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# inter e0/2

    ciscoasa(config-if)# ip add 192.168.2.254 255.255.255.0 ciscoasa(config-if)# no sh

    ciscoasa(config-if)# nameifdmz

INFO: Security level for "dmz" set to 0 by default.

    ciscoasa(config-if)# security-level 10

    ciscoasa(config-if)#

    ciscoasa(config)# telnet 0 0 inside 在防火墙上开启telnet

    ciscoasa(config)#

    ciscoasa# ping 192.168.2.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ciscoasa#

client(config)#inter f0/0

    client(config-if)#ip add 100.1.1.1 255.255.255.0

    client(config-if)#no sh

    client(config-if)#end

    client#ping 100.1.1.254

Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 100.1.1.254, timeout is 2 seconds: .!!!!

    Success rate is 80 percent (4/5), round-trip min/avg/max = 12/23/32 ms client#

AD上面创建一个用户。

ciscoasa(config)# aaa-server win08 protocol ldap指定防火墙与AD中使用的协议

    ciscoasa(config-aaa-server-group)# exit

    ciscoasa(config)# aaa-server win08 (dmz) host 192.168.2.1 指定aaa服务器的地方

    ciscoasa(config-aaa-server-host)# ?

    AAA server configuration commands:

    exitExit from aaa-server host configuration mode

    helpHelp for AAA server configuration commands

    ldap-attribute-map Specify the name of the LDAP attribute mapping table ldap-base-dn Specify the location to begin searching in the LDAP hierarchy

    ldap-login-dn Specify the DN to be used to bind to the LDAP server ldap-login-password Specify password to be used to bind to the LDAP server

    ldap-naming-attribute Specify the Relative Distinguished Name attribute that uniquely identifies an entry on the LDAP server

    ldap-over-ssl Specify if an SSL connection is needed to the LDAP server

    ldap-scope Specify the extent of the search in the LDAP hierarchy no Remove an item from aaa-server host configuration sasl-mechanism Specify which authentication mechanism(s) to use with the LDAP server

    server-port Specify the port number to be used for AAA operations server-type Specify the vendor of the LDAP server

    timeout Specify the maximum time to wait for response from configured server

    ciscoasa(config-aaa-server-host)# ldap-base-dn DC=zhenyi, DC=com指定AD的域

    ciscoasa(config-aaa-server-host)#

    ciscoasa(config-aaa-server-host)# ldap-scope subtreeAD中查询的范围

    ciscoasa(config-aaa-server-host)#

    ciscoasa(config-aaa-server-host)# ldap-naming-attribute sAMAccountName查询账户的文件

    ciscoasa(config-aaa-server-host)#

    ciscoasa(config-aaa-server-host)# ldap-login-password 123管理员密码

    ciscoasa(config-aaa-server-host)#

    ciscoasa(config-aaa-server-host)# ldap-login-dncn=administrator, cn=users, dc=zhenyi, dc=com写出管理员的FQDN

    ciscoasa(config-aaa-server-host)# ciscoasa(config-aaa-server-host)# server-type microsoft指定服务器的类型

    ciscoasa(config-aaa-server-host)# exit

    ciscoasa(config)#

    ciscoasa(config)# aaa authentication telnet console win08AAA中调用telnet

ciscoasa(config)#

    ciscoasa(config)#

    ciscoasa(config)# end

    ciscoasa# test aaa-server authentication win08 host 192.168.2.1测试账户是否成功 Username: test1

    Password: *****

    INFO: Attempting Authentication test to IP address <192.168.2.1> (timeout: 12 seconds)

    INFO: Authentication Successful ciscoasa#

client#

    client#telnet 100.1.1.254telnetASA上面去;测试成功。

    Trying 100.1.1.254 ... Open

User Access Verification

Username:

    Username: test1

    Password: *****

    Type help or '?' for a list of available commands.

    ciscoasa>

    ciscoasa>

ciscoasa# debug ldap 255dabug一下ldap的信息

    debugldap enabled at level 255

    ciscoasa#

    [3] Session Start

    [3] New request Session, context 0xd886ae30, reqType = 1 [3] Fiber started

    [3] Creating LDAP context with uri=ldap://192.168.2.1:389 [3] Connect to LDAP server: ldap://192.168.2.1:389, status = Successful

    [3] defaultNamingContext: value = DC=zhenyi,DC=com [3] supportedLDAPVersion: value = 3

    [3] supportedLDAPVersion: value = 2

    [3] supportedSASLMechanisms: value = GSSAPI

    [3] supportedSASLMechanisms: value = GSS-SPNEGO [3] supportedSASLMechanisms: value = EXTERNAL [3] supportedSASLMechanisms: value = DIGEST-MD5 [3] Binding as administrator

    [3] Performing Simple authentication for administrator to 192.168.2.1

    [3] LDAP Search:

     Base DN = [DC=zhenyi, DC=com]

    Filter = [sAMAccountName=test1]

     Scope = [SUBTREE]

    [3] User DN = [CN=test1,OU=p1,DC=zhenyi,DC=com] [3] Talking to Active Directory server 192.168.2.1 [3] Reading password policy for test1, dn:CN=test1,OU=p1,DC=zhenyi,DC=com

    [3] Read bad password count 0

[3] Binding as user

    [3] Performing Simple authentication for test1 to 192.168.2.1 [3] Checking password policy for user test1 [3] Binding as administrator

    [3] Performing Simple authentication for administrator to 192.168.2.1

    [3] Authentication successful for test1 to 192.168.2.1 [3] Retrieving user attributes from server 192.168.2.1 [3] Retrieved Attributes:

    [3] objectClass: value = top

    [3] objectClass: value = person

    [3] objectClass: value = organizationalPerson [3] objectClass: value = user

    [3] cn: value = test1

    [3] sn: value = test1

    [3] distinguishedName: value = CN=test1,OU=p1,DC=zhenyi,DC=com

    [3] instanceType: value = 4

    [3] whenCreated: value = 20140603023258.0Z [3] whenChanged: value = 20140603023258.0Z [3] displayName: value = test1

    [3] uSNCreated: value = 14010

    [3] uSNChanged: value = 14015

    [3] name: value = test1

    [3] objectGUID: value = G....fEJ........ [3] userAccountControl: value = 66048

    [3] badPwdCount: value = 0

    [3] codePage: value = 0

[3] countryCode: value = 0

    [3] badPasswordTime: value = 0

    [3] lastLogoff: value = 0

    [3] lastLogon: value = 0

    [3] pwdLastSet: value = 130462363780390000 [3] primaryGroupID: value = 513

    [3] objectSid: value = .............7.p.%..0.T.S... [3] accountExpires: value = 9223372036854775807 [3] logonCount: value = 0

    [3] sAMAccountName: value = test1

    [3] sAMAccountType: value = 805306368 [3] userPrincipalName: value = test1@zhenyi.com [3] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=zhenyi,DC=com

    [3] Fiber exit Tx=679 bytes Rx=2390 bytes, status=1 [3] Session End

Report this document

For any questions or suggestions please email
cust-service@docsford.com