Let me check and get back to you.

Both answers are correct. Further, as Jennifer mentioned, authenticating against an AD v/s the local auth, as listed, would provide you the answer you are looking for.

Hello Ameet,

I have also same issue now,

But I have different tunnel-groups, and different group-policy.

User obtains ip dedicated for it under the group-policy.

On the login page user choose the LDAP OU group ( group-alias) and connects.

But I do not know how to restrict the user from one group to connect to another group

Do you have any solution for this?

Kindly Tural

Hello Tural,

I work with Ameet and wanted to chime in.  If I understand you correctly you have multiple tunnel-groups/connection profiles each with its own group-policy.  You have IP pools assigned on the group-policys 

A good solution  is the option Jennifer pointed out above which is to use only a single tunnel-group/connection profile and utilize a ldap attribute map to dynamically assign the group-policy.

If you use the same authentication method for each tunnel-group/connection profile there is nothing stopping a user from selecting the the tunnel group and authenticating then obviously being assigned the group-policy and eventually the IP which I am thinking is what you want to avoid because you may be using a different pool per group-policy and then restricting access based on that ip range ?

Hope this helps.

Best regards,

Paul

Hello, pcarco,

Thank you very much for reply,

Exactly, you understood correcctly.

Actually it does not matter for me how many tunnel groups and group policies I have to configure

The only thing is that I have my users from different AD/LDAP OU could connect (without selecting the group on the anyconnect vpn drop-down) and obtains their own ip, and accordingly I could put acls agains those pools (if i will need) on the ASA.

I know that it is very easy If I use ACS as a Radius Servers, But I do not have it. Just AD/LDAP and ASA.

As I understood from your coments, I have to create different authentication methods for each OU in order they would connect their own tunnel and group-policy ?

Kindly Tural

Hello Tural,

In my opinion since you are using AD/LDAP  for authentication for all users  that you do the following

1.) Configure the  default tunnel-group/connection profile to authenticate to your AD server.

(disable the other tunnel-groups for testing)

2.) Configure the default tunnel-group/connection profile to use the default group policy

3.) Configure multiple group policies on the ASA for the users you want to segregate

4.) Create an LDAP attribute map  (see my CLI  example)

(ASDM) Configuration > Remote Access VPN > AAA/Local Users > LDAP Attribute Map

ASA-tme# sho run ldap attribute-map

ldap attribute-map Test_Map  <<<< map that is associated with aaa-server>>>

  map-name  memberOf Group-Policy <<>>

  map-value memberOf CN=engineering,CN=Users,DC=Cisco,DC=tme,DC=com engineering-GP

  map-value memberOf CN=marketing,CN=Users,DC=Cisco,DC=tme,DC=com Marketing-GP

( users that are a member of the AD group 'engineering' will be mapped to ASA group policy 'engineering-GP' etc....)

5.) Configure your AAA-Server entry for your AD server to use your newly created LDAP Attribute Map

ASA-tme# sho run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (Inside) host 172.16.1.20
ldap-base-dn DC=cisco,DC=tme,DC=com
ldap-scope subtree
ldap-naming-attribute SAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=users,DC=cisco,DC=tme,DC=com
server-type microsoft
ldap-attribute-map Test_Map   <<<<< map associated to aaa-server>>>

The expected user experience would be that all users connect to the FQDN of your ASA and are no longer required to use the pull down or a group-url to choose a tunnel-group/connection profile.   The users login to Active Directory and the ldap attribute map will put the users in the correct group-policy where you have configured the appropriate policy for the users.

From the CLI if you use   'debug ldap 255' during a users establishing a session you will be able to view the mapping taking place.

Hope this helps .

Best regards,

Paul

Hello Paul

Thank you very much for detailed explanation.

I have already configured the way that you advised, but it did not work for me. Only works when I enable group-tunnel-list(drop down) and group-alias. As I mentioned we do not want that user see the groups.

When I disable it, user connects only to defult tunne-groups/connections and group-policy.

I think my mistake is on the AD/LDAP side.

My question is:

In you commets, the CN=engineering and CN=marketing are the OUs created on the AD, or Security Groups?

Thank you in advance for your help Paul

Kindly Tural

Hello,

You are welcome.   In my lab set up on my AD server  the group is defined under users and the group scope is global and group type is Security Group.   Then my user account is a memberOF one of the groups.

Good luck.

Best regards,

Paul

If you want to see the groups that the ASA can glean from your ASA - add a dap policy and do the following.  You do not need this as part of your configuration just a tip to see the groups.

DAP screenshot below

OK, Paul, I will check it tomorrow, and I have more hopes now that it will work,

It becomes more clear to me now, I have to check the AD again, I hope it will work with this configuration.

Thank you ones again for willing to help.

It is kind of you.

I will come back with the result tomorrow, Paul.

Kindly Tural

Hello Paul,

Today I spent half of my day to it, the bad news is that it didnot work for me.)

While configuring the DAP it says that I have to enable CSD, did you also enable it in your lab?

Kindly Tural

Hello,

I do have it enabled but you only need enabled if you are trying to create DAP policy using an attibute tied to the host scan criteria.

Did you debug ldap 255 during a session establishment to view what was going on ?

post the the output of  a  'sho run aaa-server'  and ' sho run ldap attribute-map''

Good luck.

Paul

Hi

What type of ldap-server do you use? With Microsoft Windows 2012 i got a problem, that only the administrator user will mapped to the correct group.

With other users, there are no groups shown in the "debug ldap 255" and so also no mapping to the correct group.

Regards

Peter