Hi Joel!

burugudunski · ‎01-11-2016

Hi All,

I'm currently testing on ssl vpn using anyconnect client.

The requirements are

1. AD Authentication - Done and working

2. Specific group of users using AD security groups will be allowed to connect to ssl vpn - Authentication is working however, I'm not able to restrict the user that is not part of the security group.

3. Different AD Groups will have different VPN Group policies - dependent on Item 2 working

I'm following this document from Cisco but I'm not able to make it work, specifically the NO_ACCESS part.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

If you guys know any other how to guides could you share me the links? I can share also my test scripts from my lab.

Thank you,

Joel · ‎01-11-2016

Hi,

Example:

ldap attribute-map anyconnect_map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com" policy_anyconnect

aaa-server LDAP_anyconnect ldap
aaa-server LDAP_anyconnect (Inside) host 172.23.128.3
ldap-base-dn DC=test,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password blah
ldap-login-dn CN=test,OU=Service Accounts,DC=TEST,DC=COM
server-type microsoft
ldap-attribute-map anyconnect_map

group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc ipsec webvpn

group-policy policy_anyconnect internal
group-policy policy_anyconnect attributes
vpn-simultaneous-logins 250
vpn-tunnel-protocol svc

DEFINE OTHER GP SETTINGS

tunnel-group tg_anyconnect type remote-access
tunnel-group tg_anyconnect general-attributes
address-pool anyconnect_VPN_pool
authentication-server-group blah LOCAL
authentication-server-group (Inside) blah LOCAL
authorization-server-group LDAP
authorization-server-group (Inside) LDAP_anyconnect
default-group-policy NO_ACCESS
authorization-required

Hope this helps - I've highlighted settings hopefully making it easier to follow.

Joel

burugudunski · ‎01-12-2016

Hi Joel!

Thank you so much..I will try this out but hope you don't mind some questions

I understand this section

"map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com"policy_anyconnect"

it will call group policy "policy_anyconnect" if the user is part of the "GRP-anyconnect". but it is unclear to me how or when the NO_ACCESS group policy will be applied.

Thanks again!

Joel · ‎01-12-2016

The ASA config I posted was version 8.2 and the ldap attribute has slightly changed

ldap attribute-map anyconnect_map

map-name memberOf Group-Policy

The default policy 'NO_ACCESS' is to deny access if there's no successful authentication or authorisation. The config below actually used a different authentication method (not ldap) in fact kerberos and you only had to be a domain user to authenticate. Without the authorisation-server-group statement you were permitted. To ensure only relevent users login, the authorisation uses the LDAP_anyconnect AAA group. The LDAP_anyconnect AAA group contains the ldap map, and If you're not in the AD group specified in the map you get the NO_ACCESS AKA denied - if there's no group-policy statement the default group policy applies and if that's not set to 0 VPN connections you will be permitted - you are in fact doing an explicit deny (probably the best way I can put it). If you are in the AD group apply group policy policy_anyconnect and connect.

authentication-server-group kerberos LOCAL
authentication-server-group (Inside) kerberos LOCAL
authorization-server-group LDAP
authorization-server-group (Inside) LDAP_anyconnect

Does that answer your question?

Joel

AD Authentication with Security Groups for Cisco ASA Firewalls