AnyConnect VPN with LDAP integration

TuralLachinov · ‎11-21-2013

Hello All,

I am trying to configure anyconnect vpn, and to integrate it with the Microsoft AD LDAP.

Actually everything is working fine.

But I want to assign different ip addresses to the clients based on the group-policy and OU.But

unsuccessfully I couldnot configure it yet.

Every time when the client connects it obtains address from the same pool.

Means that the group-policy and tunnel-group for different client users is not working.

WOuld you share your experiences please, how to integrate that and to assign from different pools

for the clients

Here is the Config

===============

LDAP COnnection

ldap attribute-map test

map-name memmberOf IETF-Radius-Class

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_AUTHENT protocol ldap

aaa-server LDAP_AUTHENT (inside) host x.x.x.x

ldap-base-dn dc=megafontj,dc=tj

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=admin,cn=Users,dc=megafontj,dc=tj

server-type microsoft

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication secure-http-client

------------------------------------------------------------------------------------------

group-policy DfltGrpPolicy attributes

dns-server value x.x.x.x

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VIP-SPLIT

default-domain value cisco

split-dns value x.x.x.x

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (inside) SSL-POOL

address-pool SSL-POOL

authentication-server-group LDAP_AUTHENT

authentication-server-group (inside) LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

authorization-server-group (inside) LDAP_AUTHENT

authorization-required

-------------------------------------------------------------------------------------------------------

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

address-pool VIP-POOL

authentication-server-group LDAP_AUTHENT

authentication-server-group (inside) LDAP_AUTHENT

authorization-server-group LDAP_AUTHENT

authorization-server-group (inside) LDAP_AUTHENT

authorization-required

group-policy test attributes

dns-server value x.x.x.x

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

default-domain value cisco

split-dns value x.x.x.x

======================================================================

Why the clients with different user anem and password is not obtaining address from diffferent pools?

Everytime they obtain from the defualttunnel group...((

PLease help

Kindly TuraL

Maks12481 · ‎11-21-2013

Hello Tural!

In my infrastructure I assign IP adresses personnaly to each user in their user's propertien on Dial-In tab. You should check static IP address and enter address you wanted to assign to user.

And also you should add following string to your ldap attribute map:

map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

After that Cisco gets IP address from user's properties itself and assigns it to connecting client

Good luck!

Max

TuralLachinov · ‎11-21-2013

Hello Max,

Thank you for your responce,

In my infrastructure my clients are conecting from the outside, and after successfull autherization they are assigned

ip address group policy based with LDAP OU.

But I dont know why it is not working, maybe my config is not correct, every time it is assigned only from

DefaultWEBVPNGroup which is SSL-POOL, but my user is in another OU.

One more issue is that when I delete tunnel group

DefaultWEBVPNGroup, user can not connect, it says vpn is not enabled...

Kindly Tural

Maks12481 · ‎11-21-2013

Hello Tural,

Also in my configuration I used folowwing entry in my ldap attribute-map to determite in what group policy connecting user goes to

map-value memberOf "CN=Vpn Users,DC=your,DC=domain" GroupPolicy_ciscoAnyconnect

As I know - it is possible to assign different pools to different group policies, but as I understand (not sure) all users connecting via AnyConnect goes to DefaultWEBVPNGroup.

So try to use this entry in your configuration and let me know if this helps.

Good luck!

Max!

TuralLachinov · ‎11-22-2013

Hello Max,

I already achieved it, my users from different groups and from different LDAP OU obtains their ip from the the dedicated group-policy. On the login page you choose which group you want to connect, username and password.

I did it with enabling group alias under the tunnel-groups webpvn attrributes.

Now I am thinging how to restrict users to to connect to different groups..

Kindly TuralL

Maks12481 · ‎11-22-2013

Hello Tural,

That's why I disabled chosing the group and let the ASA deside wich policy user is connecting to.

Good luck!

Max.

TuralLachinov · ‎11-22-2013

Hello Max,

I would like to thank you for always responsing me, but I have been asked to disable choosing the group too.!

But As I mentioned above, I dont know how to force ASA to assign from different pools to different groups.

Can you please send me the configuration of your ASA ?

Thank you for helping

Kindly TualL

chetanrana · ‎11-22-2013

Hey Tural,

I am also trying to Integrate ASA to LDAP. Though I am able to fetch all the Distribution List present in AD. I am not able to form correct attribute map to resolve the problem. Please guide me in solving the problem. I have gone through most of the online help material.

TuralLachinov · ‎11-22-2013

Hello Chetan Rana,

if you do not have taks to about assigning from different pools to different groups, then it is easy

but if you also have the same issue with me, then follow up.

Kindly Tural