Solved: ASA anyconnect LDAP/BAse DN and client profiles

AyoubC · ‎11-19-2022

Hello Sec GURUs,

I have two different questions please:

1- Im using Anyconnect with LDAP server (AD) to feetch the user ad creds, everything work fine as long as i'm point think LDAP server DC=companyname, DC=domaine, DC=com. Once I adjust the BASE DN to narrow down the OU group(CN=engineering, OU=remoteusers, DC=companyname, DC=domaine, DC=com) the and anyconnect users failed to connect, I'm I missing another parameter, Please guide me on how I can do that,

2- Is there a way to use ClientProfile to control the following, make the Anyconnect "disconnect"Button grayed out after a user connect, also I want to restrict the user machine to access to internet before until the user connect his VPN AnyConnect.

THANKS!!!

Rob Ingram · ‎11-23-2022

@MHM Cisco World the NOACCESS default-group-policy needs to be referenced under the tunnel-group, it's the attribute map which assigns a user to the group-policy "GroupPolicy_HTMI-VPN" this overrides the default group policy for users who are allowed access and denies the users who are not a member of this group.

@AyoubC the output confirms the users was mapped to the correct group policy (via the attribute map) - if the user is still getting denied it's probably because you've not explictly defined the number of "vpn-simultaneous-logins" for the group policy - "GroupPolicy_HTMI-VPN", therefore it would inherit this value from the default group policy.

Example:

group-policy GroupPolicy_HTMI-VPN attributes
 vpn-simultaneous-logins 3

View solution in original post

Rob Ingram · ‎11-19-2022

@AyoubC check your ldap configuration, certain ldap attributes are case sensitive. Provide the output of the ldap configuration if you want it checked. Here is a guide to configure LDAP authentication on ASA.

You can use Always on VPN, it establishes a VPN session automatically after the user logs in and upon detection of an untrusted network. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the ASA group policy) expires. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#topic_BD02A53E0A714E23A56850698C830A6C

You could look at a management tunnel, which is established pre-user login. This ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the user. https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

AyoubC · ‎11-21-2022

I m going to test, and keep you posted !

AyoubC · ‎11-21-2022

Hello @Rob Ingram

Spent some time today, the always-on setup was pretty straightforward,

for the LDAP search in a specific group, went crazy, below output for one of my auth attempt

[4647] Session Start
[4647] New request Session, context 0x00007f74740ee020, reqType = Authentication
[4647] Fiber started
[4647] Creating LDAP context with uri=ldap://<AD IP>:389
[4647] Connect to LDAP server: ldap://<AD IP>:389, status = Successful
[4647] defaultNamingContext: value =DC=<MyDomaine>,DC=com
[4647] supportedLDAPVersion: value = 3
[4647] supportedLDAPVersion: value = 2
[4647] supportedSASLMechanisms: value = GSSAPI
[4647] supportedSASLMechanisms: value = GSS-SPNEGO
[4647] supportedSASLMechanisms: value = EXTERNAL
[4647] supportedSASLMechanisms: value = DIGEST-MD5
[4647] Binding as s-Anyconnect
[4647] Performing Simple authentication for s-Anyconnect to 172.16.201.115
[4647] LDAP Search:
Base DN = [OU=VPNusers,DC=departement,DC=Mydomain,DC=com]
Filter = [sAMAccountName=test03]
Scope = [SUBTREE]
[4647] Search result parsing returned failure status
[4647] Talking to Active Directory server <AD IP>
[4647] Reading password policy for test03, dn:
[4647] Binding as s-Anyconnect
[4647] Performing Simple authentication for s-Anyconnect to <AD IP>
[4647] Fiber exit Tx=639 bytes Rx=776 bytes, status=-1
[4647] Session End

Anyconnect app shows a simple login failed, but I don't know what I missed here, do I need a LDAP attribute map to search on a deep level in the AD ?

Rob Ingram · ‎11-22-2022

@AyoubC can you please provide your LDAP AAA specific configuration and I'll have a look.

AyoubC · ‎11-22-2022

Hello @Rob Ingram

here you go ! below the LDAP server config,

with the below configuration, everything works fine, once I try to narrow down the reseach in the AD (add more OU/CN to the Base DN) the concerned users can't connect (not that I copy past the Base DN from AD itself/under attri editor).

Thank you Rob!

Rob Ingram · ‎11-22-2022

@AyoubC can you enable debug ldap 255 login as a user to test and provide me the full output of the debug (it should provide more output than what was provided before).

You can of course use the base DN as the root of the domain and use hte attribute map to allow specific AD groups to narrow down authentications.

AyoubC · ‎11-22-2022

Hello @Rob Ingram,

Already done, attached output this time from my lab environment, as you can see, narrowing down/attrib-map seems to not take effect, anyone can access as long as we point ASA to the root base dn,

what do you think ?

Rob Ingram · ‎11-22-2022

@AyoubC If you configured the ASA as per the first link I provided above, any user not a member of the LDAP group specified in the attribute map would be assigned the NOACCESS group-policy rather than the group-policy specified in the attribute map, this NOACCESS group-policy does not allow connections (vpn-simultaneous-logins 0).

Have you configured that?

More information on NOACCESS group-policy https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

AyoubC · ‎11-22-2022

Going to test that right now,

MHM Cisco World · ‎11-22-2022

"CN=VPN_grp,OU=vpn-users,OU=Morocco Team,DC=htmioffice,DC=com"

first why there LDAP memberof enclose with " " ???
second the LDAP mapping must write with upper-case letter O

memberOf

notice:- the LDAP return must write as it send from AD to ASA.}
make double check the config

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

AyoubC · ‎11-22-2022

@MHM Cisco World - thanks for pointing out some issues that I corrected, such as the memberOf - now I can see that ASA able to map a policy group value in debug CLI,

for the " " , CLI won't access your Base dn long entry without " " - I don't this this is an issue,

@Rob Ingram good catch on the NOACCESS policygroup, I created that as well and apply it as a default for my Tunnel group, and this time all get denied, I feel like the the ASA was able to determine/map the right group policy for the users but it can't enforce it,

see attached

MHM Cisco World · ‎11-22-2022

default-group-policy NOACCESS

only remove this line from tunnel-group
and all I think will be OK.

Rob Ingram · ‎11-23-2022

@MHM Cisco World the NOACCESS default-group-policy needs to be referenced under the tunnel-group, it's the attribute map which assigns a user to the group-policy "GroupPolicy_HTMI-VPN" this overrides the default group policy for users who are allowed access and denies the users who are not a member of this group.

@AyoubC the output confirms the users was mapped to the correct group policy (via the attribute map) - if the user is still getting denied it's probably because you've not explictly defined the number of "vpn-simultaneous-logins" for the group policy - "GroupPolicy_HTMI-VPN", therefore it would inherit this value from the default group policy.

Example:

group-policy GroupPolicy_HTMI-VPN attributes
 vpn-simultaneous-logins 3

MHM Cisco World · ‎11-23-2022

Thanks for clarifying