Using AD LDS with a Cisco VPN and leveraging dynamic access lists

Recently, one of our customers came to me to ask about setting up a VPN for some of their clients.  He wanted a secure way to let his clients access the resources that they needed – and only those resources.  Unfortunately, every client needed to access different devices and they wanted a way to manage this as easily as possible, preferably without having to make changes to the firewall every time they needed to add a user or change what resources the user could access.  They also did not want to store this in their production Active Directory environment.

To sum it up, these were the bullet points that the client wanted addressed:

  • Create a way for clients to connect via VPN and only give them access to specific network resources.
  • Do not store accounts on the firewall or in Active Directory
  • Make it easy to manage, without having to constantly make changes to the firewall every time a new user needs to be added or access lists for the VPN need to be created/changed.

The solution:

  • Use AD LDS (Active Directory Lightweight Directory Services) from Windows and setup LDAP Authentication on the ASA using this AD LDS instance for authentication.
  • Use an attribute in AD LDS to store the ‘access list’.

AD LDS is a directory service that runs inside of Windows, separate from your actual Active Directory. This article explains more, I’ll be referencing it a few times in this blog post (This article was written for Windows 2012 R2).

This solution provides the ability to manage users and their access easily, within a separate directory that is not part of their normal Active Directory environment. Additionally, it does not require constant changes to the firewall.  Minimizing changes on the firewall minimizes the possibility of human error and possible misconfigurations or worse, downtime.

It is important to note that for this setup you should use LDAPS, also known as “Secure LDAP”.  LDAPS is a secure/encrypted connection for your LDAP protocol that runs on TCP port 636 instead of the standard TCP port 389.  In the article, there are references to the LDAP protocol but the underlying connection should be setup using LDAPS.

Installing and configuring AD LDS

  1. Install AD LDS on Windows Server 2012 R2 (2008 R2 or even 2016 would probably work fine too, but this article was written for Windows Server 2012 R2)
  2. Setup new AD LDS instance
    1. Name the instance something relevant (e.g. VPNAuth)
    2. Create a new Application Directory Partition (e.g. O=VPNAuth)
    3. When setting up the new instance you’ll be prompted to import the LDIF’s, pick at least one of these two.
      • MS-InetOrgPerson.LDF
      • MS-User.LDF
  3. Connect to the instance using ADSIEDIT (This will be your method for managing the configuration – or PowerShell)
  4. Create an OU called Users
  5. Create a user for the ASA to connect to for LDAP lookups in the new Users OU.
    1. After creating the user, right click on the user and choose “Reset password”.
    2. Add this user to the ‘Readers’ role in the AD LDS Instance. Do this by taking the “DN” of your ASA user (e.g. CN=ASA,OU=Users,O=VPNAuth) and add it to the “member” attribute of the “Readers” role.
  6. Create an OU called ‘VPNUsers’
  7. Create a VPN user in this OU. Again, set the password.

Note: If your AD LDS server is a member of a domain, the AD LDS instance will inherit the password policy of the Active Directory Domain it is a member of.  This means if you require passwords and specific password complexity, those requirements will be the same for your AD LDS users.  This also means that the account will be disabled when creating the user in AD LDS because you can’t set the password at the time you create the user using ADSIEDIT.  If you have a password policy, follow these steps after creating the user (this applies to your ASA and your VPN Users):

  1. Create the user
  2. Set the password
  3. Edit the user and change the msDS-UserAccountDisabled Attribute to “FALSE” (It will probably be set to “TRUE”)
  4. Optional: Change the msDS-UserDontExpirePassword to “TRUE”

Configuring ASA

  1. Create your VPN setup (details of that are not included in this article)
  2. Setup AAA Server group and server for LDAP.
  3. Setup LDAP Attribute
    1. Pick an attribute to use for the mapping. In my case, I used wWWHomePage.  This is the attribute where we will store the Cisco-AV-Pair, which is where we store the access list.
  4. Setup AAA Server in server group.
  5. Setup your client VPN connection (Details not included here, but all testing was done using an AnyConnect VPN tunnel)
  6. Set the authentication server for your VPN group

Now, in order to configure access to specific devices, we need to setup the Cisco-AV-Pair. For this example, I’m limiting access to the 10.255.100.30 IP address. So in the wWWHomePage attribute, I set the following:Log-in and test. Verify that you are only allowed to access the resources set in the Cisco-AV-Pair.

You can easily add new users and setup their access list by using ADSIEDIT.  This can also be simplified by using PowerShell.  You can build scripts to quickly add users, delete users, disable users, set the access, etc.

Troubleshooting:

If you find when you try to log in and it fails instantly, you probably had a problem with your Cisco-AV-Pair.  Try clearing the attribute and then authenticating to the VPN again.  If it works, you know you probably have a syntax problem with your Cisco-AV-Pair.  Otherwise, make sure your ASA user along with the VPN user has a password set that conforms to your password policy and that the user accounts are enabled (check to make sure the msDS-UserAccountDisabled attribute on the user objects is set to “FALSE”).

To help troubleshoot, run ‘debug ldap 255’ on the ASA.

Additionally, if you want to add multiple lines to your Cisco-AV-Pair attribute, you can do it one of two ways:

  • PowerShell
  • Paste using an application that converts linefeeds to UNIX style.

The easiest way to accomplish this is to use something like Notepad++.  In Notepad++, change the EOL Conversion to ‘UNIX/OSX Format’.  You can then paste a multi-line string into the attribute.

Note: the wWWHomePage attribute will only accept up to 2048 bytes.  If you need a larger access list, you may need to use a different attribute.

To further enhance this solution, you could use PowerShell scripts to take care of the adding/deleting/disabling of users and setting the Cisco-AV-Pair attribute.

If you have any questions or need help implementing any of the technologies mentioned above, email info@peters.com.  We are happy to help!

Additional Resources:

For additional information setting up the Cisco-AV-Pair rules, see here.

Set or Modify the Password of an AD LDS User

Configuring LDAP over SSL Requirements for AD LDS

By |2018-12-18T11:55:41-05:00July 19th, 2017|Infrastructure Services|Comments Off on Using AD LDS with a Cisco VPN and leveraging dynamic access lists

About the Author:

Toby is a managing consultant at Peters and Associates. During his over 20 years of service to Peters and Associates, he has worked on many different technologies. His main focus has been messaging and collaboration, virtualization, domain migrations and consolidations, along with disaster recovery planning and testing. He primarily works with Microsoft technologies, but is also familiar with a wide variety of other software and hardware.