I am configuring an ASA 5520 for VPN access. Authorization & Authentication use an LDAP server. I have the tunneling configured successfully, and I can access internal resources. What I want to do now is to restrict access to a specific AD Group membership. In the absence of that group membership, a user should not be allowed access to the VPN.
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290. The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
The Software Version on the ASA is 8.3(1).
My current challenge is getting the VPN to stop letting every access request through regardless of group membership. I found the thread below to be significantly helpful, but there is obviously something that doesn't quite mesh with my circumstance.
https://supportforums.cisco.com/message/3232649#3232649
Thanking all in advance for any offered thoughts and guidance.
The configuration (AAA LDAP, group policy, and tunnel group) is below.
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.y.12
server-port 636
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=svcacct,ou=svcac,ou=Users,ou=svcad,dc=domain,dc=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MAP
aaa-server LDAP (inside) host x.x.y.10
server-port 636
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=svcacct,ou=svcac,ou=Users,ou=svcad,dc=domain,dc=com
ldap-over-ssl enable
ldap-attribute-map LDAP_MAP
aaa-server LDAP (inside) host x.x.y.11
server-port 636
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=svcacct,ou=svcac,ou=Users,ou=svcad,dc=domain,dc=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MAP
aaa-server LDAP (inside) host x.x.y.10
server-port 636
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=svcacct,ou=svcac,ou=Users,ou=svcad,dc=domain,dc=com
ldap-over-ssl enable
ldap-attribute-map LDAP_MAP
aaa-server LDAP (inside) host x.x.y.11
server-port 636
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=svcacct,ou=svcac,ou=Users,ou=svcad,dc=domain,dc=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MAP
!
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
address-pools none
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
group-policy vpn-pro internal
group-policy vpn-pro attributes
wins-server value x.x.y.17 x.x.y.27
dns-server value x.x.y.19 x.x.y.29
vpn-simultaneous-logins 50
vpn-tunnel-protocol IPSec svc
group-lock value vpn-pro
default-domain value domain.com
address-pools value vpn-pro-ip
webvpn
svc dpd-interval client none
svc dpd-interval gateway 1800
!
tunnel-group DefaultRAGroup general-attributes
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy vpn-pro
authorization-required
tunnel-group vpn-pro type remote-access
tunnel-group vpn-pro general-attributes
authentication-server-group LDAP
authentication-server-group (outside) LDAP
authorization-server-group LDAP
default-group-policy vpn-pro
strip-realm
password-management
strip-group
authorization-required
tunnel-group NOACCESSGROUP type remote-access
tunnel-group NOACCESSGROUP general-attributes
authentication-server-group LDAP
default-group-policy NOACCESS
