实验目的:
1 使用AD+LDAP验证用户
2 在AD中给用户添加banner
拓扑:
ASA配置:
: Saved
: ASA Version 8.4(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 nameif DMZ security-level 50 ip address 192.168.10.254 255.255.255.0 ! interface GigabitEthernet1 nameif outside security-level 0 ip address 192.168.20.254 255.255.255.0 ! interface GigabitEthernet2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 8 pager lines 24 mtu DMZ 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm p_w_picpath disk0:/asdm-645-206.bin no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map banner map-name physicalDeliveryOfficeName Banner1 dynamic-access-policy-record DfltAccessPolicy aaa-server ldap protocol ldap aaa-server ldap (DMZ) host 192.168.10.1 server-port 389 ldap-base-dn DC=wenlf136,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn CN=admin,OU=HROU,DC=wenlf136,DC=com server-type microsoft ldap-attribute-map banner user-identity default-domain LOCAL http server enable 500 http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ca trustpoint ssl***ca enrollment url fqdn asa.ssl.net subject-name cn=asa.ssl.net crl configure crypto ca certificate chain ssl***ca certificate 03 30820229 30820192 a0030201 02020103 300d0609 2a864886 f70d0101 04050030 17311530 13060355 0403130c 7777772e 726f6f74 2e636f6d 301e170d 31323130 30323039 34363235 5a170d31 33313030 32303934 3632355a 30323114 30120603 55040313 0b617361 2e73736c 2e6e6574 311a3018 06092a86 4886f70d 01090216 0b617361 2e73736c 2e6e6574 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a2782c 802980dd 4da02808 5513db0e 8ba599cd 4dfbf701 5f72d57d e8325fe3 d987db78 b74ad9c7 b767e9ab ce9c9c8a 333cb6a4 04671514 4e845661 42013350 2dc8c795 260e3024 de4abef9 f5ef3751 1388d7db c0003254 98afb78d abb5ac26 ead7a13a f7338e3b f73ba9aa b6559339 81e5fb57 6c375e55 9eefa991 f2ef364b d5020301 0001a36a 30683016 0603551d 11040f30 0d820b61 73612e73 736c2e6e 6574300e 0603551d 0f0101ff 04040302 05a0301f 0603551d 23041830 16801400 528fc06d 14bcb113 3421c7bf 39cb4f32 e2af8a30 1d060355 1d0e0416 04145fc7 5b163d70 20dcf8b3 5e9d1829 240e6b0a be33300d 06092a86 4886f70d 01010405 00038181 00603ce8 c675ce6c d8ab99bb b3ba07bb 1441c3ae 3771400d 4be0104a e6a911a7 4aace5e4 6fe29089 e539409c 35937dd9 842ffbd7 e1f452fd b5e2ea46 d039a2c9 fa5c10d8 99178d38 9783557f ceaa0d2a 6e1a1596 ce1e7a91 4aeaef23 21f9d840 dd20419b b3e14774 7c62cf3c bf6ad1a4 8f094a87 fc50e3e3 1d856cf1 10b43c74 71 quit certificate ca 01 30820207 30820170 a0030201 02020101 300d0609 2a864886 f70d0101 04050030 17311530 13060355 0403130c 7777772e 726f6f74 2e636f6d 301e170d 31323130 30323039 33323031 5a170d31 35313030 32303933 3230315a 30173115 30130603 55040313 0c777777 2e726f6f 742e636f 6d30819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100cff3 eac51abb e99d2cfd ab4793a7 fabe4cf0 0d6b4476 03091e07 796b337e 6e0da7c7 d369fb51 397301d3 12dd3f28 79068905 0ceaf06e 0af0d08a ebec132c cd06aea2 7fa24605 aa5ed76a 9f5de568 e7c63f3e e498e8f5 82b98945 6991ba6d deb96c0f 855effb3 1c0299dc 1bdf435f b9fc7768 9ebca0d0 e66d9257 2f11b131 005f0203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 1400528f c06d14bc b1133421 c7bf39cb 4f32e2af 8a301d06 03551d0e 04160414 00528fc0 6d14bcb1 133421c7 bf39cb4f 32e2af8a 300d0609 2a864886 f70d0101 04050003 8181008d 63b8fb61 8dbf43f1 aca67b11 96e89161 8f86ff5f cde998b6 bbfa18e0 5d8d22b8 c9af34a0 70c6c493 47943cd8 54d429d1 0f18296e 108c6dbc b33a4227 010124a4 9d487756 ec5c0759 519a27ac 41a29cc1 2472efd5 fa98382c d684b770 41a02955 1e8c269f 5441180a 07114baf d68b592e 7acd610d bb69de6a fc87753c 2598ac quit telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.10.10 ssl trust-point ssl***ca web*** enable outside anyconnect p_w_picpath disk0:/anyconnect-win-3.0.0629-k9.pkg 1 anyconnect enable tunnel-group-list enable username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 tunnel-group ssltunnel type remote-access tunnel-group ssltunnel general-attributes authentication-server-group ldap tunnel-group ssltunnel web***-attributes group-alias HR enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home reporting anonymous prompt 2 crashinfo save disable Cryptochecksum:592969896630e021b58ece2639d4d42b : endCA的配置:
查看我的另一篇文章,在这里不在给出
AD安装和配置网上很多,在这里不在给出。
用户配置:
1 在AD中新建用户和OU(组织单位)名称分别是addmin 和HROU.
2 配置用户属性
验证:
说明:
本文没有给出命令解释,如有疑问可以留言或者在网上搜索。