01-11-2016 12:52 PM
Hi All,
I'm currently testing on ssl vpn using anyconnect client.
The requirements are
1. AD Authentication - Done and working
2. Specific group of users using AD security groups will be allowed to connect to ssl vpn - Authentication is working however, I'm not able to restrict the user that is not part of the security group.
3. Different AD Groups will have different VPN Group policies - dependent on Item 2 working
I'm following this document from Cisco but I'm not able to make it work, specifically the NO_ACCESS part.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
If you guys know any other how to guides could you share me the links? I can share also my test scripts from my lab.
Thank you,
01-11-2016 01:31 PM
Hi,
Example:
ldap attribute-map anyconnect_map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com" policy_anyconnect
aaa-server LDAP_anyconnect ldap
aaa-server LDAP_anyconnect (Inside) host 172.23.128.3
ldap-base-dn DC=test,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password blah
ldap-login-dn CN=test,OU=Service Accounts,DC=TEST,DC=COM
server-type microsoft
ldap-attribute-map anyconnect_map
group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc ipsec webvpn
group-policy policy_anyconnect internal
group-policy policy_anyconnect attributes
vpn-simultaneous-logins 250
vpn-tunnel-protocol svc
DEFINE OTHER GP SETTINGS
tunnel-group tg_anyconnect type remote-access
tunnel-group tg_anyconnect general-attributes
address-pool anyconnect_VPN_pool
authentication-server-group blah LOCAL
authentication-server-group (Inside) blah LOCAL
authorization-server-group LDAP
authorization-server-group (Inside) LDAP_anyconnect
default-group-policy NO_ACCESS
authorization-required
Hope this helps - I've highlighted settings hopefully making it easier to follow.
Joel
01-12-2016 08:41 AM
Hi Joel!
Thank you so much..I will try this out but hope you don't mind some questions
I understand this section
"map-value memberOf "CN=GRP-anyconnect,OU=Security Groups,OU=Groups,DC=test,DC=com"policy_anyconnect"
it will call group policy "policy_anyconnect" if the user is part of the "GRP-anyconnect". but it is unclear to me how or when the NO_ACCESS group policy will be applied.
Thanks again!
01-12-2016 12:38 PM
The ASA config I posted was version 8.2 and the ldap attribute has slightly changed
ldap attribute-map anyconnect_map
map-name memberOf Group-Policy
The default policy 'NO_ACCESS' is to deny access if there's no successful authentication or authorisation. The config below actually used a different authentication method (not ldap) in fact kerberos and you only had to be a domain user to authenticate. Without the authorisation-server-group statement you were permitted. To ensure only relevent users login, the authorisation uses the LDAP_anyconnect AAA group. The LDAP_anyconnect AAA group contains the ldap map, and If you're not in the AD group specified in the map you get the NO_ACCESS AKA denied - if there's no group-policy statement the default group policy applies and if that's not set to 0 VPN connections you will be permitted - you are in fact doing an explicit deny (probably the best way I can put it). If you are in the AD group apply group policy policy_anyconnect and connect.
authentication-server-group kerberos LOCAL
authentication-server-group (Inside) kerberos LOCAL
authorization-server-group LDAP
authorization-server-group (Inside) LDAP_anyconnect
Does that answer your question?
Joel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide