1. No category

PDF

Next−Generation Firewall (CX) Active Directory
Integration Configuration Example
Document ID: 117377
Contributed by Jay Johnston, Prapanch Ramamoorthy, and Kevin Klous,
Cisco TAC Engineers.
Jan 30, 2014
Contents
Introduction
Prerequisites
Requirements
Components Used
Configure
The Realm Configuration
Example
The Directory Configuration
Example
Determine the User Search Base
Determine the Group Search Base
Determine the Distinguished Name of Other Objects in Active Directory − ADSI Edit
Verify
Verify the Network Connectivity to the Active Directory Server
Verify the User and Group Lookup with the Active Directory
Troubleshoot
DNS Configuration Problems Cause Active Directory Integration to Fail
Network Connectivity Problems Between the Next−Generation Firewall and the Active Directory Server
Related Information
Introduction
This document describes how to determine the appropriate Lightweight Directory Access Protocol (LDAP)
User and Group search information when you configure the Next−Generation Firewall (CX or Context
Firewall) with Prime Security Manager (PRSM) for Identity features. When you configure identity policies
within PRSM, if the Directory User and Group search base information is not entered correctly, the device
will not be able to correctly look up User and Group information and some policies might fail to apply
correctly. This document guides the user through the determination of the correct User and Group search
information for an Active Directory policy and shows how to confirm if the CX can successfully perform
User and Group searches.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Next−Generation Firewall with on−box PRSM management,
Version 9.2.1.2(52).
Note: This document assumes that authentication and user and group policies will be performed using a
Microsoft Active Directory Domain Controller.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Configure
This document describes two types of configurations, which are the Realm Configuration and the Directory
Configuration.
The Realm Configuration
The Realm is a container in which authentication servers are placed. For more information on Directory
Realms, see the Overview of Directory Realms section of the User Guide for ASA CX and Cisco Prime
Security Manager 9.2.
Example
In PRSM Version 9.2, choose Configurations > Directory Realm.
Note: The Primary Domain should be lowercase due to Cisco bug ID CSCum53396 − ASA CX doesn't handle
case sensitivity for domain names correctly.
The Directory Configuration
Within the configured Realm, a Directory must be created that represents the LDAP server (the Active
Directory server).
The 'User search base' and 'Group search base' must be correctly configured based upon the specific Active
Directory structure, or the user−based and group−based policies might fail. Refer to the information in this
section in order to determine the appropriate values for these fields in your environment.
Example
Determine the User Search Base
In order to determine the user search base, complete these steps:
1. Log in to the Active Directory server as a domain administrator.
2. Open a command prompt (choose Start > Run and enter cmd).
3. Enter the dsquery command in order to determine the base Display Name (DN) for a known user.
Enter some of that information into the Directory configuration screen within Prime Security
Manager.
In this example, the dsquery command is entered in order to search for users who have a DN that begins with
'Jay'. The use of the '*' wildcard with the command returns the information for all users with a DN starting
with 'Jay':
This output can be used in order to determine the LDAP structure for the User search base within Prime
Security Manager.
This example uses 'DC=csc−lab,DC=ciscotac,DC=com' as the appropriate User search base for the directory
configuration in PRSM.
Determine the Group Search Base
The procedure to determine the Group search base is similar to the procedure to determine the User search
base.
1. Log in to the Active Directory server as a domain administrator.
2. Open a command prompt (choose Start > Run and enter cmd).
3. In order to determine the base DN for a known group, enter the dsquery command. Enter that
information on the Directory configuration screen.
In this example, the current group is named 'Employees.' Therefore, you can use the dsquery command in
order to determine the DN for that specific group:
This output is used in order to determine the LDAP structure for the Group search base.
In this case, the information 'DC=csc−lab,DC=ciscotac,DC=com' is an appropriate User search base for the
directory configuration.
This image shows how the output of the dsquery commands can be mapped to the Directory User and Group
search base information:
Determine the Distinguished Name of Other Objects in Active Directory − ADSI Edit
If you need to browse your Active Directory structure in order to look up distinguished names to use for your
User or Group search base, you can use a tool called ADSI Edit that is built into Active Directory Domain
Controllers. In order to open ADSI Edit, choose Start > Run on your Active Directory Domain Controller and
enter adsiedit.msc.
Once you are in ADSI Edit, right−click any object (such as an organizational unit (OU), group, or user) and
choose Properties in order to view the distinguished name of that object. You can then easily copy and paste
the string to your CX configuration in PRSM in order to avoid any typographical errors. See this screenshot
for more specifics on this process:
Verify
Use this section in order to confirm that your configuration works properly.
Verify the Network Connectivity to the Active Directory Server
In order to verify the basic network connectivity between the Next−Generation Firewall and the Active
Directory server, click Test connection.
Note: Test connection simply verifies that the Next−Generation Firewall can look up the IP address for the
configured directory hostname and establish a TCP connection to that IP address on destination TCP port 389.
It does not confirm that the Next−Generation Firewall is able to query the Active Directory server and
perform actual user and group lookups.
Verify the User and Group Lookup with the Active Directory
In order to verify that the Identity information is correct, perform a simple test to trigger the Next−Generation
Firewall to perform a LDAP search with the configured User and Group Search Bases.
Before you test, ensure that all configuration changes have been deployed to the device.
1. Choose Configurations > Policies/Settings.
2. Create a new policy (this policy will not be saved). From the Source drop−down list, choose Create
new object.
3. In the Name field, enter an object name. From the Object type drop−down list, choose CX Identity
object.
4. In the Groups field, enter a few characters contained in a known Active Directory group. If the
Next−Generation Firewall provides a drop−down list of Active Directory groups that match those
configured on the server, this means that the Next−Generation Firewall was able to query the LDAP
server and has found the group in the LDAP structure, so the configuration is functional.
This image shows that if you enter the letters Emp in the Groups field, the value
'CiscoTAC\Employees' is a group from the Active Directory structure that matches. This means the
connectivity and search information is functional.
The same test can be performed for Users. Enter a few characters of the Display Name of a known
Active Directory User, and wait to see if the Next−Generation Firewall shows the completed Display
Name. If it does, the system is most likely functional.
5. After the testing is complete, cancel out of the object and policy configuration screens.
Troubleshoot
DNS Configuration Problems Cause Active Directory Integration to Fail
If Domain Name System (DNS) resolution for the configured Name for the domain fails, Active Directory
integration fails. A message 'Connection failed with error: Join returned DNS_ERROR_BAD_PACKET'
displays when you click Test Connection:
If the Next−Generation Firewall cannot resolve the IP address for the domain configured, check the DNS
settings on the Next−Generation Firewall with the show dns and nslookup commands in order to confirm that
the hostname is resolvable by the device and that the DNS settings are correct.
Network Connectivity Problems Between the Next−Generation Firewall
and the Active Directory Server
If the Next−Generation Firewall is unable to connect to the Active Directory server (due to a network problem
or a firewall setting on the machine), the integration fails. This could be caused if the connectivity on TCP
port 389 is blocked by a device (such as a firewall or router) between the Next−Generation Firewall and the
Active Directory server.
A message 'Connection failed with error: Join returned NERR_DCNotFound' displays when you click Test
Connection:
If you see this message:
• Confirm that the Next−Generation Firewall has basic IP connectivity to the server with the ping,
nslookup and traceroute commands from the CLI.
• Verify that the firewall configured on the Active Directory server is configured in order to block the
connectivity from the Next−Generation Firewall on TCP port 389.
• Take packet captures on the Active Directory server and the network in order to determine what
device might be blocking the access.
Related Information
• Cisco bug ID CSCum53396 − ASA CX doesn't handle case sensitivity for domain names correctly
• Technical Support & Documentation − Cisco Systems
Updated: Jan 30, 2014
Document ID: 117377

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz