cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

7805
Views
5
Helpful
3
Replies
Beginner

ASA VPN LDAP group access

Hello, I have configured remote access vpn on asa with ldap authentication. But I can't limit vpn access with specific ldap group.

Here is my config:

aaa-server AZPBTDC01 (DC_Internal) host 192.168.10.250
ldap-base-dn dc=company, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Netuser, ou=Services users, ou=ASM HQ, dc=company, dc=com
server-type microsoft
ldap-attribute-map AZPBTDC01

ldap attribute-map AZPBTDC01
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=ASM Group,OU=ASM HQ,DC=company,DC=com" RA_ADMIN_GP


group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
address-pools none

group-policy RA_ADMIN_GP internal
group-policy RA_ADMIN_GP attributes
dns-server value 192.168.10.251
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSEC_RA_ACL_ADMIN

tunnel-group DefaultRAGroup general-attributes
default-group-policy NOACCESS

tunnel-group IPSEC_RA_ADMIN type remote-access
tunnel-group IPSEC_RA_ADMIN general-attributes
authentication-server-group AZPBTDC01 LOCAL
authorization-server-group AZPBTDC01
default-group-policy RA_ADMIN_GP

The problem is, all domen users can connect to vpn. ASA does not filter group assignment, non VPN_Admin group users can connect, but thet should not be able to connect.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor

While it is possible to make

While it is possible to make that approach work, I wouldn't do it that way.  Instead use DAP (Dynamic Access Policy).

The instructions for it are here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

Search for "Active Directory group" to jump directly to the relevant section.  Note you may need two DAP policies.  One to match users in VPN_Admin, and another default policy to deny access to everyone else.

Note for the default "deny" policy I often make it pop up a message to the end user saying they don't have VPN access and to contact xxx if they want to arrange it.

View solution in original post

Highlighted
Beginner

Hello,

Hello,

If the users are connecting to the tunnel-group IPSEC_RA_ADMIN they will still have access because the default group policy on that connection profile is RA_ADMIN_GP.

You need to set the NOACCESS group policy to the IPSEC_RA_ADMIN, the mapping will be effective for the members of VPN_Admin and the rest of the users will be getting the NOACCESS group policy 

configure this and test it out:

tunnel-group IPSEC_RA_ADMIN general-attributes

default-group-policy NOACCESS

Regards, please rate.

View solution in original post

3 REPLIES 3
VIP Advisor

While it is possible to make

While it is possible to make that approach work, I wouldn't do it that way.  Instead use DAP (Dynamic Access Policy).

The instructions for it are here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

Search for "Active Directory group" to jump directly to the relevant section.  Note you may need two DAP policies.  One to match users in VPN_Admin, and another default policy to deny access to everyone else.

Note for the default "deny" policy I often make it pop up a message to the end user saying they don't have VPN access and to contact xxx if they want to arrange it.

View solution in original post

Beginner

Hello Philip,

Hello Philip,

I will try your solution also. For now Diego's answer is right. Thank you for your all.

Highlighted
Beginner

Hello,

Hello,

If the users are connecting to the tunnel-group IPSEC_RA_ADMIN they will still have access because the default group policy on that connection profile is RA_ADMIN_GP.

You need to set the NOACCESS group policy to the IPSEC_RA_ADMIN, the mapping will be effective for the members of VPN_Admin and the rest of the users will be getting the NOACCESS group policy 

configure this and test it out:

tunnel-group IPSEC_RA_ADMIN general-attributes

default-group-policy NOACCESS

Regards, please rate.

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here