Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
0
Replies

AD enrollment when connected via AnyConnect client

bberry
Level 1
Level 1

‎06-23-2015 12:15 PM - edited ‎02-21-2020 08:18 PM

I am not even sure of the question description is accurate. I am trying to see if this is even possible with or through the AnyConnect client as I do not see how it can be.

I guess the root question is how does a user get authenticated to Active Directory when they connect via VPN? I know I am using Active Directory to validate things as part of connecting to the VPN but that is not the same as logging into Active Directory or the domain. Is that what is actually needed here?

Issue:

We use a network based firewall for our internet access for corporate users. Access is based upon what AD group a specific user belongs to as each group has different white and black lists of sites or categories of sites that group can access. With a user actually logged onto the network from their desk we can say yes you have access to dropbox because you are in group ABC.

The issue arises when that same user connects to the network via the AnyConnect client. Since they are not actually "logging onto " the network they are not associated with any specific Active Directory groups. Thus we cannot tell they are in group ABC and this means that the firewall automatically places them into the "default" group since it is unable to determine anything from their Active Directory information.

I have attached the comments from our provider with a display of what they see. Their recommendation is to get Group authentication working with the Cisco AnyConnect client and this issue will resolve itself. Is that possible with or through the client? If so can someone point me in the direction of a configuration guide or sample that will explain how?

Here is  what our provider sees. The first connected to the LAN and the second connected to the VPN.

User is not able to access dropbox.com

 

Only users in the URL- Marketing Exceptions  profile are allowed to access dropbox.com and the user is in the group but still can’t access.

 

The reason is that when the user is coming in through the CISCO AnyConnect VPN his userid / group is not being identified. 

 

slogtime=2015-06-19T15:47:10+0000 host=nbfkord-fgat21 date=2015-06-19 time=15:47:10 devname=nbfkord-fgat21 device_id=FG-5KB3E13700049 log_id=0316013056

type=webfilter subtype=ftgd_blk pri=warning vd="NBFMUE01F" policyid=13

identidx=0 serial=69479418 user="N/A" group="N/A" src=192.168.7.93 sport=62248

src_port=62248 src_int="NBFMUE01F-South" dst=108.160.172.200 dport=443 dst_port=443 dst_int="NBFMUE01F-North" service="https" hostname="dropbox.com"

profiletype="Webfilter_Profile" profilegroup="N/A" profile="URL_Guest" status="blocked" req_type="direct" url="/" msg="URL belongs to a denied category in policy"

method=domain class=0 class_desc="N/A" cat=24 cat_desc="File Sharing and Storage"

 

slogtime=2015-06-19T15:47:14+0000 host=nbfkord-fgat21 date=2015-06-19 time=15:47:14 devname=nbfkord-fgat21 device_id=FG-5KB3E13700049 log_id=0021000002 type=traffic

subtype=allowed pri=notice status=accept vd="NBFMUE01F" dir_disp=org tran_disp=snat src=192.168.7.93 srcname=192.168.7.93 src_port=62225 dst=69.171.230.5

dstname=69.171.230.5 dst_port=443 tran_ip=206.197.1.192 tran_port=33693 service=443/tcp proto=6 app_type=N/A duration=10 rule=13 policyid=13 identidx=0

sent=503 rcvd=1245 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=7 rcvd_pkt=8

vpn="N/A" src_int="NBFMUE01F-South" dst_int="NBFMUE01F-North" SN=69475103 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"

 

If the user comes in via the LAN, he gets identified correctly and has access to dropbox.cm

 

slogtime=2015-06-19T15:59:12+0000 host=nbfkord-fgat21 date=2015-06-19 time=15:59:12 devname=nbfkord-fgat21 device_id=FG-5KB3E13700049 log_id=0021000002

type=traffic subtype=allowed pri=notice status=accept vd="NBFMUE01F" dir_disp=org tran_disp=snat src=172.16.6.60 srcname=172.16.6.60 src_port=63137

dst=204.79.197.203 dstname=204.79.197.203 dst_port=443 tran_ip=206.197.1.192 tran_port=38445 service=443/tcp proto=6 app_type=N/A duration=81 rule=24

policyid=24 identidx=3 sent=3549 rcvd=8324 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A"

perip_name="N/A" sent_pkt=14 rcvd_pkt=12 vpn="N/A" src_int="NBFMUE01F-South" dst_int="NBFMUE01F-North" SN=69934991 app="N/A" app_cat="N/A"

user="TCROOK" group="SPD/SPD_MARKETING_EXCEPTIONS" carrier_ep="N/A"

 

 

The reason that dropbox.com is not being allowed for this user wen they are connecting via the VPN is because the user and group authentication is not working:

user="N/A" group="N/A" carrier_ep="N/A" 

The user is using Directory services for user/group autentication 172.16.4.247 from the following AD servers 172.17.7.10 and 172.16.4.247

 

But group authentication is not working for VPN users.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents