topic Hi to All, It works also with in Network Security

Anyconnect user automatic group-policy and tunnel-group assignment without selecting any group-alias from tunnel-group-list .

john.ebrahim83 — Tue, 12 Mar 2019 01:19:14 GMT

Objective is that anyconnect user dont have to select Group-alias, so when a user enters its username and password it should go to its specific tunnel-group and group-policy. as i have removed this command in webvpn "no tunnel-group-list enable". doing this i can not login (user does not authenticate).

1- My question is why its not happening ?

Solution:

If i keep only one tunnel-group default and make multiple group-policies and assign each user with its specific group-policy than it works. means in user attribute i only issue following commands than it works but if i put "group-lock value test-tunnel" than it does not login.

please explain why.

webvpn

enable outside

cache-fs limit 50

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc enable

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

username test password test

username test attributes

vpn-tunnel-protocol svc

group-lock value test-tunnel

vpn-group-policy test-gp

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

default-group-policy test-gp

tunnel-group test-tunnel webvpn-attributes

group-url https://192.168.168.2/test enable

Anyconnect user automatic group-policy and tunnel-group assignme

Jennifer Halim — Tue, 26 Mar 2013 08:57:54 GMT

Yes, you have the right solution. You only need to create 1 tunnel-group, and multiple group-policy. Under user attribute, you would then configure the vpn group policy that you would like the user assigned too.

You can also authenticate users against AD and configure ldap attribute map to automatically map user to a specific group policy.

Here is a sample config if you happen to have AD and will authenticate against AD:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Hope that helps.

Anyconnect user automatic group-policy and tunnel-group assignme

Andrew Phirsov — Tue, 26 Mar 2013 11:59:05 GMT

but if i put "group-lock value test-tunnel" than it does not login.

If the test-tunnel isn't your default tunnel group, then it happens because group-lock feature only binds user to the group, but doesn't assign that group to the user. I.e. with group-lock user will only be able to access throug that connection-profile, but if he or she at the same time falls into default group, wich is not the one the user locked to, the login will fail.

Anyconnect user automatic group-policy and tunnel-group assignme

amekulka — Wed, 27 Mar 2013 00:26:45 GMT

Let me check and get back to you.

Anyconnect user automatic group-policy and tunnel-group assignme

amekulka — Wed, 27 Mar 2013 23:01:42 GMT

Both answers are correct. Further, as Jennifer mentioned, authenticating against an AD v/s the local auth, as listed, would provide you the answer you are looking for.

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Fri, 22 Nov 2013 11:24:39 GMT

Hello Ameet,

I have also same issue now,

But I have different tunnel-groups, and different group-policy.

User obtains ip dedicated for it under the group-policy.

On the login page user choose the LDAP OU group ( group-alias) and connects.

But I do not know how to restrict the user from one group to connect to another group

Do you have any solution for this?

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

pcarco — Mon, 25 Nov 2013 02:51:02 GMT

Hello Tural,

I work with Ameet and wanted to chime in. If I understand you correctly you have multiple tunnel-groups/connection profiles each with its own group-policy. You have IP pools assigned on the group-policys

A good solution is the option Jennifer pointed out above which is to use only a single tunnel-group/connection profile and utilize a ldap attribute map to dynamically assign the group-policy.

If you use the same authentication method for each tunnel-group/connection profile there is nothing stopping a user from selecting the the tunnel group and authenticating then obviously being assigned the group-policy and eventually the IP which I am thinking is what you want to avoid because you may be using a different pool per group-policy and then restricting access based on that ip range ?

Hope this helps.

Best regards,

Paul

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Mon, 25 Nov 2013 06:42:34 GMT

Hello, pcarco,

Thank you very much for reply,

Exactly, you understood correcctly.

Actually it does not matter for me how many tunnel groups and group policies I have to configure

The only thing is that I have my users from different AD/LDAP OU could connect (without selecting the group on the anyconnect vpn drop-down) and obtains their own ip, and accordingly I could put acls agains those pools (if i will need) on the ASA.

I know that it is very easy If I use ACS as a Radius Servers, But I do not have it. Just AD/LDAP and ASA.

As I understood from your coments, I have to create different authentication methods for each OU in order they would connect their own tunnel and group-policy ?

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

pcarco — Mon, 25 Nov 2013 15:02:17 GMT

Hello Tural,

In my opinion since you are using AD/LDAP for authentication for all users that you do the following

1.) Configure the default tunnel-group/connection profile to authenticate to your AD server.

(disable the other tunnel-groups for testing)

2.) Configure the default tunnel-group/connection profile to use the default group policy

3.) Configure multiple group policies on the ASA for the users you want to segregate

4.) Create an LDAP attribute map (see my CLI example)

(ASDM) Configuration > Remote Access VPN > AAA/Local Users > LDAP Attribute Map

ASA-tme# sho run ldap attribute-map

ldap attribute-map Test_Map <<<< map that is associated with aaa-server>>>

map-name memberOf Group-Policy <<>>

map-value memberOf CN=engineering,CN=Users,DC=Cisco,DC=tme,DC=com engineering-GP

map-value memberOf CN=marketing,CN=Users,DC=Cisco,DC=tme,DC=com Marketing-GP

( users that are a member of the AD group 'engineering' will be mapped to ASA group policy 'engineering-GP' etc....)

5.) Configure your AAA-Server entry for your AD server to use your newly created LDAP Attribute Map

ASA-tme# sho run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (Inside) host 172.16.1.20
ldap-base-dn DC=cisco,DC=tme,DC=com
ldap-scope subtree
ldap-naming-attribute SAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=users,DC=cisco,DC=tme,DC=com
server-type microsoft
ldap-attribute-map Test_Map <<<<< map associated to aaa-server>>>

The expected user experience would be that all users connect to the FQDN of your ASA and are no longer required to use the pull down or a group-url to choose a tunnel-group/connection profile. The users login to Active Directory and the ldap attribute map will put the users in the correct group-policy where you have configured the appropriate policy for the users.

From the CLI if you use 'debug ldap 255' during a users establishing a session you will be able to view the mapping taking place.

Hope this helps .

Best regards,

Paul

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Mon, 25 Nov 2013 19:00:41 GMT

Hello Paul

Thank you very much for detailed explanation.

I have already configured the way that you advised, but it did not work for me. Only works when I enable group-tunnel-list(drop down) and group-alias. As I mentioned we do not want that user see the groups.

When I disable it, user connects only to defult tunne-groups/connections and group-policy.

I think my mistake is on the AD/LDAP side.

My question is:

In you commets, the CN=engineering and CN=marketing are the OUs created on the AD, or Security Groups?

Thank you in advance for your help Paul

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

pcarco — Mon, 25 Nov 2013 19:29:50 GMT

Hello,

You are welcome. In my lab set up on my AD server the group is defined under users and the group scope is global and group type is Security Group. Then my user account is a memberOF one of the groups.

Good luck.

Best regards,

Paul

If you want to see the groups that the ASA can glean from your ASA - add a dap policy and do the following. You do not need this as part of your configuration just a tip to see the groups.

DAP screenshot below

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Mon, 25 Nov 2013 19:53:37 GMT

OK, Paul, I will check it tomorrow, and I have more hopes now that it will work,

It becomes more clear to me now, I have to check the AD again, I hope it will work with this configuration.

Thank you ones again for willing to help.

It is kind of you.

I will come back with the result tomorrow, Paul.

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Tue, 26 Nov 2013 19:08:14 GMT

Hello Paul,

Today I spent half of my day to it, the bad news is that it didnot work for me.)

While configuring the DAP it says that I have to enable CSD, did you also enable it in your lab?

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

pcarco — Tue, 26 Nov 2013 20:28:32 GMT

Hello,

I do have it enabled but you only need enabled if you are trying to create DAP policy using an attibute tied to the host scan criteria.

Did you debug ldap 255 during a session establishment to view what was going on ?

post the the output of a 'sho run aaa-server' and ' sho run ldap attribute-map''

Good luck.

Paul

Anyconnect user automatic group-policy and tunnel-group assignme

pf — Tue, 26 Nov 2013 23:55:45 GMT

What type of ldap-server do you use? With Microsoft Windows 2012 i got a problem, that only the administrator user will mapped to the correct group.

With other users, there are no groups shown in the "debug ldap 255" and so also no mapping to the correct group.

Regards

Peter

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Wed, 27 Nov 2013 06:55:36 GMT

Hello Paul

Here is my configuration, could you please check and let me know What is my mistake here.

My user coneects only to the defult tunnel/connection profile

You can also see debug output.

C:\>dsquery group domainroot -name Tural*

"CN=Tural,OU=test,OU=Corporat,DC=xxxx,DC=com"

C:\>dsquery group domainroot -name Rasim*

"CN=Rasim,OU=test1,OU=Corporat,DC=xxxx,DC=com"

C:\>dsquery user -name test*

"CN=test,OU=test,OU=Corporat,DC=xxxx,DC=com"

======================================================================

dynamic-access-policy-record Tural

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record Rasim

ldap attribute-map CISCOMAP

map-name memberOf IETF-Radius-Class

map-value memberOf Rasim CN=Rasim,OU=test1,OU=Corporat,DC=xxxx,DC=com

map-value memberOf Tural CN=Tural,OU=test,OU=Corporat,DC=xxxxx,DC=com

aaa-server LDAP_AUTHENT protocol ldap

aaa-server LDAP_AUTHENT (inside) host x.x.x.x

ldap-base-dn dc=xxxx,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=admin,cn=Users,dc=xxxx,dc=com

server-type microsoft

ldap-attribute-map CISCOMAP

=========================================================

tunnel-group DefaultRAGroup general-attributes

authentication-server-group LDAP_AUTHENT

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group LDAP_AUTHENT

authentication-server-group (inside) LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

authorization-server-group (inside) LDAP_AUTHENT

authorization-required

tunnel-group test1 type remote-access

tunnel-group test1 general-attributes

address-pool VIP-POOL1

authentication-server-group LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

default-group-policy Rasim

authorization-required

authentication-attr-from-server secondary

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool VIP-POOL

authentication-server-group LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

default-group-policy Tural

authorization-required

authentication-attr-from-server secondary

==========================================================

group-policy DfltGrpPolicy attributes

dns-server value xxxxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VIP-SPLIT

default-domain value xxxx.com

split-dns value xxxxxxxxx

group-policy Rasim internal

group-policy Rasim attributes

wins-server none

dns-server value xxxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

default-domain value xxx

split-dns value 10.241.17.63

address-pools value VIP-POOL1

default-domain value xxxx.com

group-policy Tural internal

group-policy Tural attributes

wins-server none

dns-server value xxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

default-domain value xxxx.com

split-dns value xxxxx

address-pools value VIP-POOL

====================================================

[536] Session Start

[536] New request Session, context 0x00007ffd8fe92cb8, reqType = Authentication

[536] Fiber started

[536] Creating LDAP context with uri=ldap://10.241.17.64:389

[536] Connect to LDAP server: ldap://10.241.17.64:389, status = Successful

[536] supportedLDAPVersion: value = 3

[536] supportedLDAPVersion: value = 2

[536] Binding as admin

[536] Performing Simple authentication for admin to 10.241.17.64

[536] LDAP Search:

Base DN = [DC=xxxxx,DC=com]

Filter = [sAMAccountName=test1]

Scope = [SUBTREE]

[536] User DN = [CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com]

[536] Talking to Active Directory server 10.241.17.64

[536] Reading password policy for test1, dn:CN=test1,OU=test1,OU=Corporat,DC=xxx,DC=xxx

[536] Read bad password count 0

[536] Binding as test1

[536] Performing Simple authentication for test1 to 10.241.17.64

[536] Processing LDAP response for user test1

[536] Message (test1):

[536] Authentication successful for test1 to 10.241.17.64

[536] Retrieved User Attributes:

[536] objectClass: value = top

[536] objectClass: value = person

[536] objectClass: value = organizationalPerson

[536] objectClass: value = user

[536] cn: value = test1

[536] givenName: value = test1

[536] distinguishedName: value = CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536] instanceType: value = 4

[536] whenCreated: value = 20131126115004.0Z

[536] whenChanged: value = 20131126122310.0Z

[536] displayName: value = test1

[536] uSNCreated: value = 9235760040

[536] memberOf: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536] mapped to IETF-Radius-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536] mapped to LDAP-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536] uSNChanged: value = 9236081181

[536] name: value = test1

[536] objectGUID: value = 5....\.B....d..a

[536] userAccountControl: value = 512

[536] badPwdCount: value = 0

[536] codePage: value = 0

[536] countryCode: value = 0

[536] badPasswordTime: value = 0

[536] lastLogoff: value = 0

[536] lastLogon: value = 0

[536] pwdLastSet: value = 130299402043656468

[536] primaryGroupID: value = 513

[536] objectSid: value = ............V..W.../....."..

[536] accountExpires: value = 9223372036854775807

[536] logonCount: value = 0

[536] sAMAccountName: value = test1

[536] sAMAccountType: value = 805306368

[536] userPrincipalName: value = test1@megafontj.tj

[536] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxxx,DC=com

[536] dSCorePropagationData: value = 16010101000000.0Z

[536] lastLogonTimestamp: value = 130299421909985288

[536] Fiber exit Tx=549 bytes Rx=2505 bytes, status=1

[536] Session End

[537] Session Start

[537] New request Session, context 0x00007ffd8fe92cb8, reqType = Other

[537] Fiber started

[537] Creating LDAP context with uri=ldap://10.241.17.64:389

[537] Connect to LDAP server: ldap://10.241.17.64:389, status = Successful

[537] supportedLDAPVersion: value = 3

[537] supportedLDAPVersion: value = 2

[537] Binding as admin

[537] Performing Simple authentication for admin to 10.241.17.64

[537] LDAP Search:

Base DN = [DC=xxxxx,DC=com]

Filter = [sAMAccountName=test1]

Scope = [SUBTREE]

[537] User DN = [CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com]

[537] Talking to Active Directory server 10.241.17.64

[537] Reading password policy for test1, dn:CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] Read bad password count 0

[537] LDAP Search:

Base DN = [DC=xxxxx,DC=com]

Filter = [sAMAccountName=test1]

Scope = [SUBTREE]

[537] Retrieved User Attributes:

[537] objectClass: value = top

[537] objectClass: value = person

[537] objectClass: value = organizationalPerson

[537] objectClass: value = user

[537] cn: value = test1

[537] givenName: value = test1

[537] distinguishedName: value = CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] instanceType: value = 4

[537] whenCreated: value = 20131126115004.0Z

[537] whenChanged: value = 20131126122310.0Z

[537] displayName: value = test1

[537] uSNCreated: value = 9235760040

[537] memberOf: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] mapped to IETF-Radius-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] mapped to LDAP-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] uSNChanged: value = 9236081181

[537] name: value = test1

[537] objectGUID: value = 5....\.B....d..a

[537] userAccountControl: value = 512

[537] badPwdCount: value = 0

[537] codePage: value = 0

[537] countryCode: value = 0

[537] badPasswordTime: value = 0

[537] lastLogoff: value = 0

[537] lastLogon: value = 0

[537] pwdLastSet: value = 130299402043656468

[537] primaryGroupID: value = 513

[537] objectSid: value = ............V..W.../....."..

[537] accountExpires: value = 9223372036854775807

[537] logonCount: value = 0

[537] sAMAccountName: value = test1

[537] sAMAccountType: value = 805306368

[537] userPrincipalName: value = test1@megafontj.tj

[537] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxxx,DC=com

[537] dSCorePropagationData: value = 16010101000000.0Z

[537] lastLogonTimestamp: value = 130299421909985288

[537] Fiber exit Tx=547 bytes Rx=4109 bytes, status=1

[537] Session End

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Wed, 27 Nov 2013 07:26:00 GMT

Hello Peter,

We are using Microsoft 2008,

Yes my problem is that user is mapped to the default policy.

I have 2 users created : test and test1

But they are not mapped to their own tunnel/connection profile, istead they are mapped to the defualt and obtains ip from the defualt pool

Kindly Tural

Anyconnect user automatic group-policy and tunnel-group assignme

pf — Wed, 27 Nov 2013 09:45:04 GMT

Hi Tural

You should only use one tunnel-group and do the mapping to the group-policy and not tunnel-groups:

ldap attribute-map sslvpn

map-name memberOf IETF-Radius-Class

map-value memberOf CN=G_SSLVPN,OU=Service,OU=Groups,OU=Oberbipp,DC=hueslernest,DC=local ssl_admin

dynamic-access-policy-record DfltAccessPolicy

aaa-server ldapquerysrv1 protocol ldap

aaa-server ldapquerysrv1 (inside) host 192.168.20.80

server-port 389

ldap-base-dn dc=hueslernest,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password M3lanieO3sch!

ldap-login-dn CN=svc_ciscoldap,OU=Service,OU=Users,OU=Oberbipp,DC=hueslernest,DC=local

server-type microsoft

ldap-attribute-map sslvpn

ldap attribute-map sslvpn
map-name memberOf Group-Policy
map-value memberOf CN=G_SSLVPN,OU=Service,OU=Groups,OU=xxx,DC=xxx,DC=local ssl_admin
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldapquerysrv1 protocol ldap
aaa-server ldapquerysrv1 (inside) host 192.168.20.80
server-port 389
ldap-base-dn dc=xxx,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password xxxxxx

ldap-login-dn CN=svc_ciscoldap,OU=Service,OU=Users,OU=XXX,DC=xxxx,DC=local
server-type microsoft
ldap-attribute-map sslvpn

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ssl-clientpool

authentication-server-group (outside) ldapquerysrv1 LOCAL

default-group-policy ssl_noaccess tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ssl-clientpool
authentication-server-group (outside) ldapquerysrv1 LOCAL
default-group-policy ssl_noaccess

group-policy ssl_admin internal

group-policy ssl_admin attributes

dns-server value x.x.x.x

vpn-simultaneous-logins 25

vpn-idle-timeout 60

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_ssl

default-domain value xxx

webvpn

anyconnect keep-installer installed

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect profiles value xxx type user group-policy ssl_admin internal

group-policy ssl_noaccess internal

group-policy ssl_noaccess attributes

vpn-simultaneous-logins 0

Regards
Peter

Anyconnect user automatic group-policy and tunnel-group assignme

TuralLachinov — Wed, 27 Nov 2013 10:24:43 GMT

Hello Peter,

But I want that different users from different ou could obtain ip from their own ip pool

Not the same pool.

IT and HR employees must have diferent pools assigned.

Will this work with only one tunnel and group-policy ?

Kindly Tural

Hi to All, It works also with

ifabrizio — Fri, 09 Oct 2015 10:26:41 GMT

Hi to All,

It works also with Linux Radius server ?