Cisco ASA Anyconnect group-lock

mateusz.marciniak@exanet.pl · ‎07-22-2019

Dear Cisco Community,

I have a question about group-lock function with Webvpn on Cisco ASA.

I try to configure group lock but I have a situation if have one user with two VPN group on MS server connect to ASA via LDAP and have two independent ldap mapping to vpn group on ASA, have crate tunnel-group with group alias and group-url

I have trouble because when I have configure group-lock on both groups and user login only to first group and when I try connect to second group I have that log:

Group <WEBVPN_1> User <exapmle> IP <x.x.x.x> Terminating the VPN connection attempt from <WEBVPN_2>. Reason: This connection is group locked to <WEBVPN_1>

But when I delete group-lock user have only login to the first group without difference witch group URL is in used

Rahul Govindan · ‎07-23-2019

My guess is that when the user logs in to the second Tunnel-group (Connection profile), he is still getting assigned to the first group-policy. This is expected if you are using LDAP attribute mapping. Since both AD groups are returned by the LDAP server when the user authenticates, the mapping chooses based on alphabetical order. This is explained here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc9

I think you will always run into this limitation if you use LDAP as the AAA server. If you have a RADIUS server, you can use Tunnel-group RADIUS attributes that the ASA sends to make a decision on what group-policy to assign to the user.

Another option is to use DAP to assign attributes to users such as VPN filter. But there are differences from ldap attribute mappings as DAP cannot assign a group-policy and it takes effect for all remote access users.