直接使用AD验证SSL ***用户并且使用AD给用户添加banner

实验目的：

1 使用AD+LDAP验证用户

2 在AD中给用户添加banner

拓扑：

ASA配置：

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif DMZ
 security-level 50
 ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 8
pager lines 24
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map banner
  map-name  physicalDeliveryOfficeName Banner1
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap protocol ldap
aaa-server ldap (DMZ) host 192.168.10.1
 server-port 389
 ldap-base-dn DC=wenlf136,DC=com
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn CN=admin,OU=HROU,DC=wenlf136,DC=com
 server-type microsoft
 ldap-attribute-map banner
user-identity default-domain LOCAL
http server enable 500
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ssl***ca
 enrollment url http://192.168.10.10:80
 fqdn asa.ssl.net
 subject-name cn=asa.ssl.net
 crl configure
crypto ca certificate chain ssl***ca
 certificate 03
    30820229 30820192 a0030201 02020103 300d0609 2a864886 f70d0101 04050030
    17311530 13060355 0403130c 7777772e 726f6f74 2e636f6d 301e170d 31323130
    30323039 34363235 5a170d31 33313030 32303934 3632355a 30323114 30120603
    55040313 0b617361 2e73736c 2e6e6574 311a3018 06092a86 4886f70d 01090216
    0b617361 2e73736c 2e6e6574 30819f30 0d06092a 864886f7 0d010101 05000381
    8d003081 89028181 00a2782c 802980dd 4da02808 5513db0e 8ba599cd 4dfbf701
    5f72d57d e8325fe3 d987db78 b74ad9c7 b767e9ab ce9c9c8a 333cb6a4 04671514
    4e845661 42013350 2dc8c795 260e3024 de4abef9 f5ef3751 1388d7db c0003254
    98afb78d abb5ac26 ead7a13a f7338e3b f73ba9aa b6559339 81e5fb57 6c375e55
    9eefa991 f2ef364b d5020301 0001a36a 30683016 0603551d 11040f30 0d820b61
    73612e73 736c2e6e 6574300e 0603551d 0f0101ff 04040302 05a0301f 0603551d
    23041830 16801400 528fc06d 14bcb113 3421c7bf 39cb4f32 e2af8a30 1d060355
    1d0e0416 04145fc7 5b163d70 20dcf8b3 5e9d1829 240e6b0a be33300d 06092a86
    4886f70d 01010405 00038181 00603ce8 c675ce6c d8ab99bb b3ba07bb 1441c3ae
    3771400d 4be0104a e6a911a7 4aace5e4 6fe29089 e539409c 35937dd9 842ffbd7
    e1f452fd b5e2ea46 d039a2c9 fa5c10d8 99178d38 9783557f ceaa0d2a 6e1a1596
    ce1e7a91 4aeaef23 21f9d840 dd20419b b3e14774 7c62cf3c bf6ad1a4 8f094a87
    fc50e3e3 1d856cf1 10b43c74 71
  quit
 certificate ca 01
    30820207 30820170 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
    17311530 13060355 0403130c 7777772e 726f6f74 2e636f6d 301e170d 31323130
    30323039 33323031 5a170d31 35313030 32303933 3230315a 30173115 30130603
    55040313 0c777777 2e726f6f 742e636f 6d30819f 300d0609 2a864886 f70d0101
    01050003 818d0030 81890281 8100cff3 eac51abb e99d2cfd ab4793a7 fabe4cf0
    0d6b4476 03091e07 796b337e 6e0da7c7 d369fb51 397301d3 12dd3f28 79068905
    0ceaf06e 0af0d08a ebec132c cd06aea2 7fa24605 aa5ed76a 9f5de568 e7c63f3e
    e498e8f5 82b98945 6991ba6d deb96c0f 855effb3 1c0299dc 1bdf435f b9fc7768
    9ebca0d0 e66d9257 2f11b131 005f0203 010001a3 63306130 0f060355 1d130101
    ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304
    18301680 1400528f c06d14bc b1133421 c7bf39cb 4f32e2af 8a301d06 03551d0e
    04160414 00528fc0 6d14bcb1 133421c7 bf39cb4f 32e2af8a 300d0609 2a864886
    f70d0101 04050003 8181008d 63b8fb61 8dbf43f1 aca67b11 96e89161 8f86ff5f
    cde998b6 bbfa18e0 5d8d22b8 c9af34a0 70c6c493 47943cd8 54d429d1 0f18296e
    108c6dbc b33a4227 010124a4 9d487756 ec5c0759 519a27ac 41a29cc1 2472efd5
    fa98382c d684b770 41a02955 1e8c269f 5441180a 07114baf d68b592e 7acd610d
    bb69de6a fc87753c 2598ac
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.10
ssl trust-point ssl***ca
web***
 enable outside
 anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group ssltunnel type remote-access
tunnel-group ssltunnel general-attributes
 authentication-server-group ldap
tunnel-group ssltunnel web***-attributes
 group-alias HR enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:592969896630e021b58ece2639d4d42b
: end

CA的配置：

查看我的另一篇文章，在这里不在给出

AD安装和配置网上很多，在这里不在给出。

用户配置：

1 在AD中新建用户和OU(组织单位)名称分别是addmin 和HROU.

2 配置用户属性

验证：

说明：

本文没有给出命令解释，如有疑问可以留言或者在网上搜索。