SSL VPN RADIUS AD Groups

nn7963 · ‎08-15-2012

We have an ASA 5520 configured with Premium SSL VPN licenses. We've configured clientless and client based SSL VPN access. The VPN users are authenticated against a 2008 AD domain via a 2008 MS Radius server. My question is "can the users belong to a client-based and clientless AD group"? If we put them in both AD groups only one works.

The ASA is running 8.3(2), but we will be upgrading to 8.4(4-1) soon.

We also have users in Admin AD groups who can do both clientless and client based VPN connections without even being in the client based or clientless AD groups. We haven't made any mapping of any admin groups from the ASA to RADIUS and then to AD. Is this normal?

nkarthikeyan · ‎08-15-2012

Hi,

Can you please share the configs of your ASA. Because i do feel you could have given full privelaged access for the admin in your AD server.

Please do rate if the given info helps.

By

Karthik

nn7963 · ‎08-15-2012

aaa-server RADIUS protocol radius
aaa-server RADIUS (LAN) host 10.20.1.4
key *****
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa

webvpn
enable CMS
svc image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2 regex "Intel Mac OS X"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy VPN_Email_Only internal
group-policy VPN_Email_Only attributes
vpn-idle-timeout 30
vpn-tunnel-protocol webvpn
group-lock value CL_Email_Only_CxProf
webvpn
url-list value Email_Only
customization value Email_Only_Customization
group-policy VPN_Client_Based internal
group-policy VPN_Client_Based attributes
wins-server none
dns-server value 10.20.1.2 10.20.1.3
dhcp-network-scope 10.20.95.0
vpn-idle-timeout none
vpn-tunnel-protocol svc
group-lock value CB_Full_VPN_CxProf
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value ***Deleted***.com
webvpn
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive 20
svc compression none
svc modules none
customization value Client_Based_Customization
url-entry disable
svc df-bit-ignore disable
always-on-vpn profile-setting
group-policy VPNUsers internal
group-policy VPNUsers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol webvpn
group-lock value CL_Full_VPN_CxProf
webvpn
url-list value Full_VPN
customization value Clientless_Customization
username inghrjt password ***Deleted*** encrypted privilege 0
tunnel-group CL_Full_VPN_CxProf type remote-access
tunnel-group CL_Full_VPN_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPNUsers
dhcp-server 10.20.1.4
password-management
tunnel-group CL_Full_VPN_CxProf webvpn-attributes
customization Clientless_Customization
group-alias Clientless enable
group-url https://***Deleted***/CL enable
group-url https://***Deleted***/cl enable
group-url https://***Deleted***/CL enable
group-url https://***Deleted***/cl enable
tunnel-group CL_Email_Only_CxProf type remote-access
tunnel-group CL_Email_Only_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPN_Email_Only
dhcp-server 10.20.1.4
password-management
tunnel-group CL_Email_Only_CxProf webvpn-attributes
customization Email_Only_Customization
group-alias Email enable
group-url https://***Deleted***/EMAIL enable
group-url https://***Deleted***/email enable
group-url https://***Deleted***/EMAIL enable
group-url https://***Deleted***/email enable
tunnel-group CB_Full_VPN_CxProf type remote-access
tunnel-group CB_Full_VPN_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPN_Client_Based
dhcp-server 10.20.1.4
password-management
tunnel-group CB_Full_VPN_CxProf webvpn-attributes
group-alias Client enable
group-url https://***Deleted***/CB enable
group-url https://***Deleted***/cb enable
group-url https://***Deleted***/CB enable
group-url https://***Deleted***/cb enable

nn7963 · ‎08-21-2012

Any thoughts on why the admin AD users can connect to client and clientless without being in the client and/or clientless AD groups with specific VPN permission?