Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
39266
Views
5
Helpful
21
Replies

Anyconnect user automatic group-policy and tunnel-group assignment without selecting any group-alias from tunnel-group-list .

Go to solution
john.ebrahim83
Level 1
Level 1

‎03-25-2013 02:02 AM - edited ‎03-11-2019 06:19 PM

Objective is that anyconnect user dont have to select Group-alias, so when a user enters its username and password it should go to its specific tunnel-group and group-policy. as i have removed this command in webvpn "no tunnel-group-list enable". doing this i can not login (user does not authenticate).

1- My question is why its not happening ?

Solution:

If i keep only one tunnel-group default and make multiple group-policies and assign each user with its specific group-policy than it works. means in user attribute i only issue following commands than it works but if i put "group-lock value test-tunnel" than it does not login.

please explain why.

webvpn

enable outside

cache-fs limit 50

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc enable

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

username test password test

username test attributes

vpn-tunnel-protocol svc

group-lock value test-tunnel

vpn-group-policy test-gp

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

default-group-policy test-gp

tunnel-group test-tunnel webvpn-attributes

group-url https://192.168.168.2/test enable

1 person had this problem
Labels:
0 Helpful
21 Replies 21

Go to solution
TuralLachinov
Level 1
Level 1
In response to pf

‎11-26-2013 10:55 PM

Hello Paul

Here is my configuration, could you please check and let me know What is my mistake here.

My user coneects only to the defult tunnel/connection profile

You can also see debug output.

C:\>dsquery group domainroot -name Tural*

"CN=Tural,OU=test,OU=Corporat,DC=xxxx,DC=com"

C:\>dsquery group domainroot -name Rasim*

"CN=Rasim,OU=test1,OU=Corporat,DC=xxxx,DC=com"

C:\>dsquery user -name test*

"CN=test,OU=test,OU=Corporat,DC=xxxx,DC=com"

======================================================================

dynamic-access-policy-record Tural

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record Rasim

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf Rasim CN=Rasim,OU=test1,OU=Corporat,DC=xxxx,DC=com

  map-value memberOf Tural CN=Tural,OU=test,OU=Corporat,DC=xxxxx,DC=com

aaa-server LDAP_AUTHENT protocol ldap

aaa-server LDAP_AUTHENT (inside) host x.x.x.x

ldap-base-dn dc=xxxx,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=admin,cn=Users,dc=xxxx,dc=com

server-type microsoft

ldap-attribute-map CISCOMAP

=========================================================

tunnel-group DefaultRAGroup general-attributes

authentication-server-group LDAP_AUTHENT

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group LDAP_AUTHENT

authentication-server-group (inside) LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

authorization-server-group (inside) LDAP_AUTHENT

authorization-required

tunnel-group test1 type remote-access

tunnel-group test1 general-attributes

address-pool VIP-POOL1

authentication-server-group LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

default-group-policy Rasim

authorization-required

authentication-attr-from-server secondary

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool VIP-POOL

authentication-server-group LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

default-group-policy Tural

authorization-required

authentication-attr-from-server secondary

==========================================================

group-policy DfltGrpPolicy attributes

dns-server value xxxxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VIP-SPLIT

default-domain value xxxx.com

split-dns value xxxxxxxxx

group-policy Rasim internal

group-policy Rasim attributes

wins-server none

dns-server value xxxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

default-domain value xxx

split-dns value 10.241.17.63

address-pools value VIP-POOL1

default-domain value xxxx.com

group-policy Tural internal

group-policy Tural attributes

wins-server none

dns-server value xxxxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

default-domain value xxxx.com

split-dns value xxxxx

address-pools value VIP-POOL

====================================================

[536] Session Start

[536] New request Session, context 0x00007ffd8fe92cb8, reqType = Authentication

[536] Fiber started

[536] Creating LDAP context with uri=ldap://10.241.17.64:389

[536] Connect to LDAP server: ldap://10.241.17.64:389, status = Successful

[536] supportedLDAPVersion: value = 3

[536] supportedLDAPVersion: value = 2

[536] Binding as admin

[536] Performing Simple authentication for admin to 10.241.17.64

[536] LDAP Search:

        Base DN = [DC=xxxxx,DC=com]

        Filter  = [sAMAccountName=test1]

        Scope   = [SUBTREE]

[536] User DN = [CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com]

[536] Talking to Active Directory server 10.241.17.64

[536] Reading password policy for test1, dn:CN=test1,OU=test1,OU=Corporat,DC=xxx,DC=xxx

[536] Read bad password count 0

[536] Binding as test1

[536] Performing Simple authentication for test1 to 10.241.17.64

[536] Processing LDAP response for user test1

[536] Message (test1):

[536] Authentication successful for test1 to 10.241.17.64

[536] Retrieved User Attributes:

[536]   objectClass: value = top

[536]   objectClass: value = person

[536]   objectClass: value = organizationalPerson

[536]   objectClass: value = user

[536]   cn: value = test1

[536]   givenName: value = test1

[536]   distinguishedName: value = CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536]   instanceType: value = 4

[536]   whenCreated: value = 20131126115004.0Z

[536]   whenChanged: value = 20131126122310.0Z

[536]   displayName: value = test1

[536]   uSNCreated: value = 9235760040

[536]   memberOf: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536]           mapped to IETF-Radius-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536]           mapped to LDAP-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[536]   uSNChanged: value = 9236081181

[536]   name: value = test1

[536]   objectGUID: value = 5....\.B....d..a

[536]   userAccountControl: value = 512

[536]   badPwdCount: value = 0

[536]   codePage: value = 0

[536]   countryCode: value = 0

[536]   badPasswordTime: value = 0

[536]   lastLogoff: value = 0

[536]   lastLogon: value = 0

[536]   pwdLastSet: value = 130299402043656468

[536]   primaryGroupID: value = 513

[536]   objectSid: value = ............V..W.../....."..

[536]   accountExpires: value = 9223372036854775807

[536]   logonCount: value = 0

[536]   sAMAccountName: value = test1

[536]   sAMAccountType: value = 805306368

[536]   userPrincipalName: value = test1@megafontj.tj

[536]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxxx,DC=com

[536]   dSCorePropagationData: value = 16010101000000.0Z

[536]   lastLogonTimestamp: value = 130299421909985288

[536] Fiber exit Tx=549 bytes Rx=2505 bytes, status=1

[536] Session End

[537] Session Start

[537] New request Session, context 0x00007ffd8fe92cb8, reqType = Other

[537] Fiber started

[537] Creating LDAP context with uri=ldap://10.241.17.64:389

[537] Connect to LDAP server: ldap://10.241.17.64:389, status = Successful

[537] supportedLDAPVersion: value = 3

[537] supportedLDAPVersion: value = 2

[537] Binding as admin

[537] Performing Simple authentication for admin to 10.241.17.64

[537] LDAP Search:

        Base DN = [DC=xxxxx,DC=com]

        Filter  = [sAMAccountName=test1]

        Scope   = [SUBTREE]

[537] User DN = [CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com]

[537] Talking to Active Directory server 10.241.17.64

[537] Reading password policy for test1, dn:CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537] Read bad password count 0

[537] LDAP Search:

        Base DN = [DC=xxxxx,DC=com]

        Filter  = [sAMAccountName=test1]

        Scope   = [SUBTREE]

[537] Retrieved User Attributes:

[537]   objectClass: value = top

[537]   objectClass: value = person

[537]   objectClass: value = organizationalPerson

[537]   objectClass: value = user

[537]   cn: value = test1

[537]   givenName: value = test1

[537]   distinguishedName: value = CN=test1,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537]   instanceType: value = 4

[537]   whenCreated: value = 20131126115004.0Z

[537]   whenChanged: value = 20131126122310.0Z

[537]   displayName: value = test1

[537]   uSNCreated: value = 9235760040

[537]   memberOf: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537]           mapped to IETF-Radius-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537]           mapped to LDAP-Class: value = CN=Rasim,OU=test1,OU=Corporat,DC=xxxxx,DC=com

[537]   uSNChanged: value = 9236081181

[537]   name: value = test1

[537]   objectGUID: value = 5....\.B....d..a

[537]   userAccountControl: value = 512

[537]   badPwdCount: value = 0

[537]   codePage: value = 0

[537]   countryCode: value = 0

[537]   badPasswordTime: value = 0

[537]   lastLogoff: value = 0

[537]   lastLogon: value = 0

[537]   pwdLastSet: value = 130299402043656468

[537]   primaryGroupID: value = 513

[537]   objectSid: value = ............V..W.../....."..

[537]   accountExpires: value = 9223372036854775807

[537]   logonCount: value = 0

[537]   sAMAccountName: value = test1

[537]   sAMAccountType: value = 805306368

[537]   userPrincipalName: value = test1@megafontj.tj

[537]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxxx,DC=com

[537]   dSCorePropagationData: value = 16010101000000.0Z

[537]   lastLogonTimestamp: value = 130299421909985288

[537] Fiber exit Tx=547 bytes Rx=4109 bytes, status=1

[537] Session End

Kindly Tural

0 Helpful

Go to solution
TuralLachinov
Level 1
Level 1
In response to TuralLachinov

‎11-26-2013 11:26 PM

Hello Peter,

We are using Microsoft 2008,

Yes my problem is that user is mapped to the default policy.

I have 2 users created : test and test1

But they are not mapped to their own tunnel/connection profile, istead they are mapped to the defualt and obtains ip from the defualt pool

Kindly Tural

0 Helpful

Go to solution
pf
Level 1
Level 1
In response to TuralLachinov

‎11-27-2013 01:45 AM

Hi Tural

You should only use one tunnel-group and do the mapping to the group-policy and not tunnel-groups:

ldap attribute-map sslvpn

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=G_SSLVPN,OU=Service,OU=Groups,OU=Oberbipp,DC=hueslernest,DC=local ssl_admin

dynamic-access-policy-record DfltAccessPolicy

aaa-server ldapquerysrv1 protocol ldap

aaa-server ldapquerysrv1 (inside) host 192.168.20.80

server-port 389

ldap-base-dn dc=hueslernest,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password M3lanieO3sch!

ldap-login-dn CN=svc_ciscoldap,OU=Service,OU=Users,OU=Oberbipp,DC=hueslernest,DC=local

server-type microsoft

ldap-attribute-map sslvpn

ldap attribute-map sslvpn
  map-name  memberOf Group-Policy
  map-value memberOf CN=G_SSLVPN,OU=Service,OU=Groups,OU=xxx,DC=xxx,DC=local ssl_admin
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldapquerysrv1 protocol ldap
aaa-server ldapquerysrv1 (inside) host 192.168.20.80
server-port 389
ldap-base-dn dc=xxx,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password xxxxxx

ldap-login-dn CN=svc_ciscoldap,OU=Service,OU=Users,OU=XXX,DC=xxxx,DC=local
server-type microsoft
ldap-attribute-map sslvpn

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ssl-clientpool

authentication-server-group (outside) ldapquerysrv1 LOCAL

default-group-policy ssl_noaccess tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ssl-clientpool
authentication-server-group (outside) ldapquerysrv1 LOCAL
default-group-policy ssl_noaccess

group-policy ssl_admin internal

group-policy ssl_admin attributes

dns-server value x.x.x.x

vpn-simultaneous-logins 25

vpn-idle-timeout 60

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_ssl

default-domain value xxx

webvpn

  anyconnect keep-installer installed

  anyconnect ssl rekey time 30

  anyconnect ssl rekey method ssl

  anyconnect profiles value xxx type user group-policy ssl_admin internal

group-policy ssl_noaccess internal

group-policy ssl_noaccess attributes

vpn-simultaneous-logins 0

Regards
Peter

0 Helpful

Go to solution
TuralLachinov
Level 1
Level 1
In response to pf

‎11-27-2013 02:24 AM

Hello Peter,

But I want that different users from different ou could obtain ip from their own ip pool

Not the same pool.

IT and HR employees must have diferent pools assigned.

Will this work with only one tunnel and group-policy ?

Kindly Tural

0 Helpful

Go to solution
pzkqx6000
Level 1
Level 1
In response to Andrew Phirsov

‎08-11-2017 02:43 AM

You have no idea how mutch your post helped me. Thank you!

Now different users can access thru VPN Client and AnyConnect to the same VPN. That connection profile lock was the problem in my case.

0 Helpful

Go to solution
ifabrizio
Level 3
Level 3

‎10-09-2015 03:26 AM

Hi to All,

 

It works also with Linux Radius server ?

0 Helpful

Go to solution
Kudetauk77
Level 1
Level 1
In response to ifabrizio

‎01-19-2016 12:10 PM

Hi 

Can you tell me how to do it with free radius ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card