03-25-2013 02:02 AM - edited 03-11-2019 06:19 PM
Objective is that anyconnect user dont have to select Group-alias, so when a user enters its username and password it should go to its specific tunnel-group and group-policy. as i have removed this command in webvpn "no tunnel-group-list enable". doing this i can not login (user does not authenticate).
1- My question is why its not happening ?
Solution:
If i keep only one tunnel-group default and make multiple group-policies and assign each user with its specific group-policy than it works. means in user attribute i only issue following commands than it works but if i put "group-lock value test-tunnel" than it does not login.
please explain why.
webvpn
enable outside
cache-fs limit 50
svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1
svc enable
group-policy test-gp internal
group-policy test-gp attributes
vpn-tunnel-protocol svc webvpn
address-pools value test-pool
username test password test
username test attributes
vpn-tunnel-protocol svc
group-lock value test-tunnel
vpn-group-policy test-gp
tunnel-group test-tunnel type remote-access
tunnel-group test-tunnel general-attributes
default-group-policy test-gp
tunnel-group test-tunnel webvpn-attributes
group-url https://192.168.168.2/test enable
Solved! Go to Solution.
03-26-2013 01:57 AM
Yes, you have the right solution. You only need to create 1 tunnel-group, and multiple group-policy. Under user attribute, you would then configure the vpn group policy that you would like the user assigned too.
You can also authenticate users against AD and configure ldap attribute map to automatically map user to a specific group policy.
Here is a sample config if you happen to have AD and will authenticate against AD:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Hope that helps.
03-26-2013 01:57 AM
Yes, you have the right solution. You only need to create 1 tunnel-group, and multiple group-policy. Under user attribute, you would then configure the vpn group policy that you would like the user assigned too.
You can also authenticate users against AD and configure ldap attribute map to automatically map user to a specific group policy.
Here is a sample config if you happen to have AD and will authenticate against AD:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Hope that helps.
03-26-2013 04:59 AM
but if i put "group-lock value test-tunnel" than it does not login.
If the test-tunnel isn't your default tunnel group, then it happens because group-lock feature only binds user to the group, but doesn't assign that group to the user. I.e. with group-lock user will only be able to access throug that connection-profile, but if he or she at the same time falls into default group, wich is not the one the user locked to, the login will fail.
03-26-2013 05:26 PM
Let me check and get back to you.
03-27-2013 04:01 PM
Both answers are correct. Further, as Jennifer mentioned, authenticating against an AD v/s the local auth, as listed, would provide you the answer you are looking for.
11-22-2013 03:24 AM
Hello Ameet,
I have also same issue now,
But I have different tunnel-groups, and different group-policy.
User obtains ip dedicated for it under the group-policy.
On the login page user choose the LDAP OU group ( group-alias) and connects.
But I do not know how to restrict the user from one group to connect to another group
Do you have any solution for this?
Kindly Tural
11-24-2013 06:51 PM
Hello Tural,
I work with Ameet and wanted to chime in. If I understand you correctly you have multiple tunnel-groups/connection profiles each with its own group-policy. You have IP pools assigned on the group-policys
A good solution is the option Jennifer pointed out above which is to use only a single tunnel-group/connection profile and utilize a ldap attribute map to dynamically assign the group-policy.
If you use the same authentication method for each tunnel-group/connection profile there is nothing stopping a user from selecting the the tunnel group and authenticating then obviously being assigned the group-policy and eventually the IP which I am thinking is what you want to avoid because you may be using a different pool per group-policy and then restricting access based on that ip range ?
Hope this helps.
Best regards,
Paul
11-24-2013 10:42 PM
Hello, pcarco,
Thank you very much for reply,
Exactly, you understood correcctly.
Actually it does not matter for me how many tunnel groups and group policies I have to configure
The only thing is that I have my users from different AD/LDAP OU could connect (without selecting the group on the anyconnect vpn drop-down) and obtains their own ip, and accordingly I could put acls agains those pools (if i will need) on the ASA.
I know that it is very easy If I use ACS as a Radius Servers, But I do not have it. Just AD/LDAP and ASA.
As I understood from your coments, I have to create different authentication methods for each OU in order they would connect their own tunnel and group-policy ?
Kindly Tural
11-25-2013 07:02 AM
Hello Tural,
In my opinion since you are using AD/LDAP for authentication for all users that you do the following
1.) Configure the default tunnel-group/connection profile to authenticate to your AD server.
(disable the other tunnel-groups for testing)
2.) Configure the default tunnel-group/connection profile to use the default group policy
3.) Configure multiple group policies on the ASA for the users you want to segregate
4.) Create an LDAP attribute map (see my CLI example)
(ASDM) Configuration > Remote Access VPN > AAA/Local Users > LDAP Attribute Map
ASA-tme# sho run ldap attribute-map
ldap attribute-map Test_Map <<<< map that is associated with aaa-server>>>
map-name memberOf Group-Policy <<
map-value memberOf CN=engineering,CN=Users,DC=Cisco,DC=tme,DC=com engineering-GP
map-value memberOf CN=marketing,CN=Users,DC=Cisco,DC=tme,DC=com Marketing-GP
( users that are a member of the AD group 'engineering' will be mapped to ASA group policy 'engineering-GP' etc....)
5.) Configure your AAA-Server entry for your AD server to use your newly created LDAP Attribute Map
ASA-tme# sho run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (Inside) host 172.16.1.20
ldap-base-dn DC=cisco,DC=tme,DC=com
ldap-scope subtree
ldap-naming-attribute SAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=users,DC=cisco,DC=tme,DC=com
server-type microsoft
ldap-attribute-map Test_Map <<<<< map associated to aaa-server>>>
The expected user experience would be that all users connect to the FQDN of your ASA and are no longer required to use the pull down or a group-url to choose a tunnel-group/connection profile. The users login to Active Directory and the ldap attribute map will put the users in the correct group-policy where you have configured the appropriate policy for the users.
From the CLI if you use 'debug ldap 255' during a users establishing a session you will be able to view the mapping taking place.
Hope this helps .
Best regards,
Paul
11-25-2013 11:00 AM
Hello Paul
Thank you very much for detailed explanation.
I have already configured the way that you advised, but it did not work for me. Only works when I enable group-tunnel-list(drop down) and group-alias. As I mentioned we do not want that user see the groups.
When I disable it, user connects only to defult tunne-groups/connections and group-policy.
I think my mistake is on the AD/LDAP side.
My question is:
In you commets, the CN=engineering and CN=marketing are the OUs created on the AD, or Security Groups?
Thank you in advance for your help Paul
Kindly Tural
11-25-2013 11:29 AM
Hello,
You are welcome. In my lab set up on my AD server the group is defined under users and the group scope is global and group type is Security Group. Then my user account is a memberOF one of the groups.
Good luck.
Best regards,
Paul
If you want to see the groups that the ASA can glean from your ASA - add a dap policy and do the following. You do not need this as part of your configuration just a tip to see the groups.
DAP screenshot below
11-25-2013 11:53 AM
OK, Paul, I will check it tomorrow, and I have more hopes now that it will work,
It becomes more clear to me now, I have to check the AD again, I hope it will work with this configuration.
Thank you ones again for willing to help.
It is kind of you.
I will come back with the result tomorrow, Paul.
Kindly Tural
11-26-2013 11:08 AM
Hello Paul,
Today I spent half of my day to it, the bad news is that it didnot work for me.)
While configuring the DAP it says that I have to enable CSD, did you also enable it in your lab?
Kindly Tural
11-26-2013 12:28 PM
Hello,
I do have it enabled but you only need enabled if you are trying to create DAP policy using an attibute tied to the host scan criteria.
Did you debug ldap 255 during a session establishment to view what was going on ?
post the the output of a 'sho run aaa-server' and ' sho run ldap attribute-map''
Good luck.
Paul
11-26-2013 03:55 PM
Hi
What type of ldap-server do you use? With Microsoft Windows 2012 i got a problem, that only the administrator user will mapped to the correct group.
With other users, there are no groups shown in the "debug ldap 255" and so also no mapping to the correct group.
Regards
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide