cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2210
Views
0
Helpful
3
Replies
Beginner

AD Authentication with Security Groups for Cisco ASA Firewalls

Hi All,

I'm currently testing on ssl vpn using anyconnect client. 

The requirements are

1. AD Authentication - Done and working

2. Specific group of users using AD security groups will be allowed to connect to ssl vpn - Authentication is working however, I'm not able to restrict the user that is not part of the security group. 

3. Different AD Groups will have different VPN Group policies - dependent on Item 2 working 

I'm following this document from Cisco but I'm not able to make it work, specifically the NO_ACCESS part. 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

If you guys know any other how to guides could you share me the links? I can share also my test scripts from my lab. 

Thank you,

3 REPLIES 3
Highlighted
Beginner

Hi,

Hi,

Example:

ldap attribute-map anyconnect_map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com" policy_anyconnect

aaa-server LDAP_anyconnect ldap
aaa-server LDAP_anyconnect (Inside) host 172.23.128.3
 ldap-base-dn DC=test,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password blah
 ldap-login-dn CN=test,OU=Service Accounts,DC=TEST,DC=COM
 server-type microsoft
 ldap-attribute-map anyconnect_map

group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol svc ipsec webvpn

group-policy policy_anyconnect internal
group-policy policy_anyconnect attributes
 vpn-simultaneous-logins 250
 vpn-tunnel-protocol svc

DEFINE OTHER GP SETTINGS

tunnel-group tg_anyconnect type remote-access
tunnel-group tg_anyconnect general-attributes
 address-pool anyconnect_VPN_pool
 authentication-server-group blah LOCAL
 authentication-server-group (Inside) blah LOCAL
 authorization-server-group LDAP
 authorization-server-group (Inside) LDAP_anyconnect
 default-group-policy NO_ACCESS
 authorization-required

Hope this helps - I've highlighted settings hopefully making it easier to follow.

Joel

Beginner

Hi Joel! 

Hi Joel! 

Thank you so much..I will try this out but hope you don't mind some questions

I understand this section

"map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com"policy_anyconnect"

it will call group policy "policy_anyconnect" if the user is part of the "GRP-anyconnect". but it is unclear to me how or when the NO_ACCESS group policy will be applied.

Thanks again!

Beginner

The ASA config I posted was

The ASA config I posted was version 8.2 and the ldap attribute has slightly changed

ldap attribute-map anyconnect_map

map-name  memberOf Group-Policy

The default policy 'NO_ACCESS' is to deny access if there's no successful authentication or authorisation. The config below actually used a different authentication method (not ldap) in fact kerberos and you only had to be a domain user to authenticate. Without the authorisation-server-group statement you were permitted. To ensure only relevent users login, the authorisation uses the LDAP_anyconnect AAA group. The LDAP_anyconnect AAA group contains the ldap map, and If you're not in the AD group  specified in the map you get the NO_ACCESS AKA denied - if there's no group-policy statement the default group policy applies and if that's not set to 0 VPN connections you will be permitted - you are in fact doing an explicit deny (probably the best way I can put it). If you are in the AD group apply group policy policy_anyconnect and connect.

 authentication-server-group kerberos LOCAL
 authentication-server-group (Inside) kerberos LOCAL
 authorization-server-group LDAP
 authorization-server-group (Inside) LDAP_anyconnect

Does that answer your question?

Joel

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here