Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
2
Replies

Remote Access VPN on ASA - Authentication using LDAP Server

Go to solution
Michael McGrath
Level 1
Level 1

‎05-15-2019 08:09 AM - edited ‎02-21-2020 09:38 PM

Hello, I have configured remote access vpn on asa with ldap authentication. But I can't limit vpn access with specific ldap group.

Here is my config:

 

ldap attribute-map VPN_GP_MAP
map-name memberOf Group-Policy
map-value memberOf "CN=Alternate VPN HR Users,OU=Groups,DC=internal,DC=company,DC=com" HRVPN
map-value memberOf "CN=Alternate VPN Users,OU=Groups,DC=internal,DC=company,DC=com" VPNUsers


aaa-server VPN_LDAP protocol ldap
aaa-server VPN_LDAP (INSIDE) host 192.168.1.1
ldap-base-dn dc=internal,dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap_vpn@internal.company.com
server-type microsoft
ldap-attribute-map VPN_GP_MAP


group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2 ssl-client
address-pools none

group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
dns-server value 192.168.1.1
vpn-idle-timeout 30
vpn-session-timeout 480
vpn-tunnel-protocol ikev2 ssl-client
group-lock value LDAP_VPN_GROUP
split-tunnel-policy tunnelall
split-tunnel-network-list value Split_Tunnel_List
default-domain value company.com
split-dns value internal.company.com
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools value VPNPool
webvpn
anyconnect modules value vpngina
anyconnect profiles value VPNprofile type user

group-policy HRVPN internal
group-policy HRVPN attributes
wins-server none
dns-server value 192.168.1.1
vpn-idle-timeout 30
vpn-session-timeout 480
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
default-domain value internal.company.com
split-tunnel-network-list value Split_Tunnel_List
split-dns value internal.company.com
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools value HRVPNPool
webvpn
anyconnect modules value vpngina
anyconnect profiles value VPNprofile type user

tunnel-group LDAP_VPN_GROUP type remote-access
tunnel-group LDAP_VPN_GROUP general-attributes
address-pool VPNPool
address-pool HRVPNPool
authentication-server-group VPN_LDAP
default-group-policy NOACCESS
tunnel-group LDAP_VPN_GROUP webvpn-attributes
group-alias "(3) - Alternate" enable

 

The problem is, no domain users can connect to vpn. If I change the default group policy for the tunnel-group to one of the group policies configured in the attribute-map then all users have access to the vpn. ASA does not filter group assignment, non "Alternate VPN User"(and non "Alternate VPN HR Users") group users can connect, but they should not be able to connect. I'm starting to think my ldap attribute-map needs to be changed. I've seen other examples where they use other map-names and map-values. I've had this working in the past but now it does not work as intended. I'm definitely missing something.

 

ASA version 9.9.2

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-16-2019 06:13 AM

You are missing:

 

group-policy VPNUsers attributes

vpn-simultaneous-logins 3

group-policy HRVPN attributes

vpn-simultaneous-logins 3

 

Since you don't have this setting in the specific group-policy, it inherits this from NOACCESS group-policy.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-16-2019 06:13 AM

You are missing:

 

group-policy VPNUsers attributes

vpn-simultaneous-logins 3

group-policy HRVPN attributes

vpn-simultaneous-logins 3

 

Since you don't have this setting in the specific group-policy, it inherits this from NOACCESS group-policy.

0 Helpful

Go to solution
Michael McGrath
Level 1
Level 1
In response to Rahul Govindan

‎05-16-2019 06:21 AM

You are absolutely right it was inheriting the 0 logins from the default policy. Can't believe I was missing that, but I'm glad it's now working

 

Thank you, sir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents