ASA Remote Access Tunnels and AD Authorization

ftikphillips · ‎08-30-2006

I am doing a demo of an ASA to implelment as an SSL VPN solution, and am having a problem with the configuration.

I have my users being Authenticated with RSA and Authorized with AD/LDAP. I am trying to set it up so that when they are Authorized via AD/LDAP that users get applied on or another ASA Tunnel Group based on AD Group membership.

For example we would want the IT Group to get the full tunnel while other users say in HR would only get to browse certain bookmark links via the portal page.

bwilmoth · ‎09-05-2006

Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies. Refer the following URL for more info

http://www.cisco.com/en/US/products/ps6121/products_configuration_guide_chapter09186a00806a81e3.html#wp1042067

ftikphillips · ‎09-05-2006

I understand about applying a group policy to a user or a group of users. But when user 'Joe' belongs to the 'accounting' group in AD, and user 'Bob' belongs to the 'HR' group in AD the ASA can't see that 'Bob' is logging in to the ASA so then the ASA knows that 'Bob' gets applied to the 'HR' tunnel group. Bob has to make this selection himself when he logs in by selecting which tunnel group he logs into. We want to take that process out of the users hands.

stefan.kristiansson · ‎10-11-2006

Hi

This is exacly my problem as well, but I would like to match a OU defined in a RA personal certificate to an group name in LDAP(Authorization) with specific access rights applied on group level.

Any url or help is appriciated.

/Brgds Stefan

ftikphillips · ‎10-11-2006

I have communicated this issue with my Cisco Security Engineer assigned to my account and he confirmed that this feature is not yet available. Currently the ASA cannot make a decision based on LDAP attributes as to what access rights to give the user.

eric.lamasters · ‎10-12-2006

I have it working. The key is to use an attribute-map to map the returned LDAP attribute (memberOf, in my case) to the cVPN3000-IETF-Radius-Class attribute.

The value of the cVPN3000-IETF-Radius-Class attribute determines the name of the group policy applied. In my case I use an internal group policy with the exact name of the Active Directory group.

It only worked after updating to the newest interim release, 7.2.1.19. It was just released on October 2. It seems to work very nicely so far.

pthome · ‎10-30-2006

It works for me, too.

I nearly got Crazy in debugging the LDAP and reading the Documentation where I did not find any hint id the Cisco Attributes have to be in the LDAP.

I succeded now with the 7.2.1.19 Release without changing anything in my config. Thanks for the Hint.

eric.lamasters · ‎10-11-2006

I am having the exact same issue. When I try to authorize against the AD/LDAP server, I get an error:

%ASA-6-113005: AAA user authorization Rejected : reason = Attribute not found

The really odd thing is that if I test authenticating against this same AAA server configuration, it works just fine. I map the memberOf attribute to the class attribute which, in turn, determines the group policy. I just cannot get it to work on authorization.

eric.lamasters · ‎10-11-2006

I was able to resolve this issue by upgrading from 7.2.1 to 7.2.1.19

fredhuynh · ‎10-27-2006

Do you mind posting your configure? I can't seem to be about to test my LDAP setting.

Thanks