topic Re: ASA anyconnect LDAP/BAse DN and client profiles in Network Security

ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Sat, 19 Nov 2022 09:33:39 GMT

Hello Sec GURUs,

I have two different questions please:

1- Im using Anyconnect with LDAP server (AD) to feetch the user ad creds, everything work fine as long as i'm point think LDAP server DC=companyname, DC=domaine, DC=com. Once I adjust the BASE DN to narrow down the OU group(CN=engineering, OU=remoteusers, DC=companyname, DC=domaine, DC=com) the and anyconnect users failed to connect, I'm I missing another parameter, Please guide me on how I can do that,

2- Is there a way to use ClientProfile to control the following, make the Anyconnect "disconnect"Button grayed out after a user connect, also I want to restrict the user machine to access to internet before until the user connect his VPN AnyConnect.

THANKS!!!

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Sat, 19 Nov 2022 10:13:13 GMT

@AyoubC check your ldap configuration, certain ldap attributes are case sensitive. Provide the output of the ldap configuration if you want it checked. Here is a guide to configure LDAP authentication on ASA.

You can use Always on VPN, it establishes a VPN session automatically after the user logs in and upon detection of an untrusted network. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the ASA group policy) expires. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#topic_BD02A53E0A714E23A56850698C830A6C

You could look at a management tunnel, which is established pre-user login. This ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the user. https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Mon, 21 Nov 2022 09:11:46 GMT

I m going to test, and keep you posted !

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Mon, 21 Nov 2022 23:44:10 GMT

Hello @Rob Ingram

Spent some time today, the always-on setup was pretty straightforward,

for the LDAP search in a specific group, went crazy, below output for one of my auth attempt

[4647] Session Start
[4647] New request Session, context 0x00007f74740ee020, reqType = Authentication
[4647] Fiber started
[4647] Creating LDAP context with uri=ldap://<AD IP>:389
[4647] Connect to LDAP server: ldap://<AD IP>:389, status = Successful
[4647] defaultNamingContext: value =DC=<MyDomaine>,DC=com
[4647] supportedLDAPVersion: value = 3
[4647] supportedLDAPVersion: value = 2
[4647] supportedSASLMechanisms: value = GSSAPI
[4647] supportedSASLMechanisms: value = GSS-SPNEGO
[4647] supportedSASLMechanisms: value = EXTERNAL
[4647] supportedSASLMechanisms: value = DIGEST-MD5
[4647] Binding as s-Anyconnect
[4647] Performing Simple authentication for s-Anyconnect to 172.16.201.115
[4647] LDAP Search:
Base DN = [OU=VPNusers,DC=departement,DC=Mydomain,DC=com]
Filter = [sAMAccountName=test03]
Scope = [SUBTREE]
[4647] Search result parsing returned failure status
[4647] Talking to Active Directory server <AD IP>
[4647] Reading password policy for test03, dn:
[4647] Binding as s-Anyconnect
[4647] Performing Simple authentication for s-Anyconnect to <AD IP>
[4647] Fiber exit Tx=639 bytes Rx=776 bytes, status=-1
[4647] Session End

Anyconnect app shows a simple login failed, but I don't know what I missed here, do I need a LDAP attribute map to search on a deep level in the AD ?

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Tue, 22 Nov 2022 09:17:04 GMT

@AyoubC can you please provide your LDAP AAA specific configuration and I'll have a look.

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Tue, 22 Nov 2022 11:32:43 GMT

Hello @Rob Ingram

here you go ! below the LDAP server config,

with the below configuration, everything works fine, once I try to narrow down the reseach in the AD (add more OU/CN to the Base DN) the concerned users can't connect (not that I copy past the Base DN from AD itself/under attri editor).

Thank you Rob!

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Tue, 22 Nov 2022 11:50:24 GMT

@AyoubC can you enable debug ldap 255 login as a user to test and provide me the full output of the debug (it should provide more output than what was provided before).

You can of course use the base DN as the root of the domain and use hte attribute map to allow specific AD groups to narrow down authentications.

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Wed, 23 Nov 2022 16:06:03 GMT

Hello @Rob Ingram,

Already done, attached output this time from my lab environment, as you can see, narrowing down/attrib-map seems to not take effect, anyone can access as long as we point ASA to the root base dn,

what do you think ?

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Tue, 22 Nov 2022 13:53:19 GMT

@AyoubC If you configured the ASA as per the first link I provided above, any user not a member of the LDAP group specified in the attribute map would be assigned the NOACCESS group-policy rather than the group-policy specified in the attribute map, this NOACCESS group-policy does not allow connections (vpn-simultaneous-logins 0).

Have you configured that?

More information on NOACCESS group-policy https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Tue, 22 Nov 2022 18:53:22 GMT

Going to test that right now,

Re: ASA anyconnect LDAP/BAse DN and client profiles

MHM Cisco World — Tue, 22 Nov 2022 19:09:17 GMT

"CN=VPN_grp,OU=vpn-users,OU=Morocco Team,DC=htmioffice,DC=com"

first why there LDAP memberof enclose with " " ???
second the LDAP mapping must write with upper-case letter O

memberOf

notice:- the LDAP return must write as it send from AD to ASA.}
make double check the config

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Wed, 23 Nov 2022 16:05:34 GMT

@MHM Cisco World - thanks for pointing out some issues that I corrected, such as the memberOf - now I can see that ASA able to map a policy group value in debug CLI,

for the " " , CLI won't access your Base dn long entry without " " - I don't this this is an issue,

@Rob Ingram good catch on the NOACCESS policygroup, I created that as well and apply it as a default for my Tunnel group, and this time all get denied, I feel like the the ASA was able to determine/map the right group policy for the users but it can't enforce it,

see attached

Re: ASA anyconnect LDAP/BAse DN and client profiles

MHM Cisco World — Tue, 22 Nov 2022 23:34:00 GMT

default-group-policy NOACCESS

only remove this line from tunnel-group
and all I think will be OK.

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Wed, 23 Nov 2022 08:00:59 GMT

@MHM Cisco World the NOACCESS default-group-policy needs to be referenced under the tunnel-group, it's the attribute map which assigns a user to the group-policy "GroupPolicy_HTMI-VPN" this overrides the default group policy for users who are allowed access and denies the users who are not a member of this group.

@AyoubC the output confirms the users was mapped to the correct group policy (via the attribute map) - if the user is still getting denied it's probably because you've not explictly defined the number of "vpn-simultaneous-logins" for the group policy - "GroupPolicy_HTMI-VPN", therefore it would inherit this value from the default group policy.

Example:

group-policy GroupPolicy_HTMI-VPN attributes
 vpn-simultaneous-logins 3

Re: ASA anyconnect LDAP/BAse DN and client profiles

MHM Cisco World — Wed, 23 Nov 2022 08:11:41 GMT

Thanks for clarifying

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Wed, 23 Nov 2022 13:01:25 GMT

@Rob Ingram that was the last piece of the puzzle, you're right it seems that after mapping the correct group policy, it inherits along with that vpn-simultaneous-logins "0" from the default policy-group (NO ACCESS)

Attribute mapping works like a charm now, I'll create now more groups and perform more tests.

Re: ASA anyconnect LDAP/BAse DN and client profiles

MHM Cisco World — Wed, 23 Nov 2022 13:45:13 GMT

Glad your issue is solve
and you are so so welcome,
@Rob Ingram thanks again for clarifying the default group-policy.

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Wed, 23 Nov 2022 14:01:32 GMT

Thank you @MHM Cisco World ,

One more question, I'm a fun of ASDM, and I m wondering where I can find "vpn-simultaneous-logins " or it's a CLI command only. ?

Re: ASA anyconnect LDAP/BAse DN and client profiles

Rob Ingram — Wed, 23 Nov 2022 14:10:56 GMT

@AyoubC it's a setting defined under the group-policy and is configurable via ASDM. Here is an example:

Re: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC — Wed, 23 Nov 2022 16:15:34 GMT

Sounds great !