04-03-2017 04:15 AM
Hello,
Currently we use the local user database on the Cisco ASA for our enyconnect users. We have two group policies one allows users assigned to it to be able to get to all internal networks apart from the DEV networks. The other allows users assigned to it to get to all the normal networks and the DEV networks.
While this works fine for local user aithentication I am wondering how to achieve the same if we enforce users to authenticate their anyconnect sessions using thier Active Directory credentials. Can we ties certain Active Director Users to certain group policies.
Thanks
Nick
Solved! Go to Solution.
04-03-2017 04:36 AM
You can use the Active directory membership (member-of) attribute to assign group-policies to users. This can be achieved by using the LDAP attribute map configuration as seen below:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14
04-03-2017 04:36 AM
You can use the Active directory membership (member-of) attribute to assign group-policies to users. This can be achieved by using the LDAP attribute map configuration as seen below:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14
04-03-2017 04:51 AM
Thanks Rahul,
I will have a read through the document.
04-04-2017 06:15 AM
Hi,
I have created the mapping as per another document which seemed fairly straight forward.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
I can see in the debugging that the Group Policy is being referenced when I authenticate with the anyconnect client against AD and authentication seems successful but the anyconnect client just keeps asking me for the password again and this just keeps happening. So I guess I am missing a final peice of the the puzzle.
Debug below:
debug ldap enabled at level 255
HQ-FW01#
HQ-FW01#
HQ-FW01#
HQ-FW01#
HQ-FW01#
[78] Session Start
[78] New request Session, context 0x00007fac6da0c498, reqType = Authentication
[78] Fiber started
[78] Creating LDAP context with uri=ldap://10.10.2.10:389
[78] Connect to LDAP server: ldap://10.10.2.10:389, status = Successful
[78] supportedLDAPVersion: value = 3
[78] supportedLDAPVersion: value = 2
[78] Binding as administrator
[78] Performing Simple authentication for administrator to 10.10.2.10
[78] LDAP Search:
Base DN = [DC=secure,DC=local]
Filter = [sAMAccountName=dev2]
Scope = [SUBTREE]
[78] User DN = [CN=dev2,CN=Users,DC=secure,DC=local]
[78] Talking to Active Directory server 10.10.2.10
[78] Reading password policy for dev2, dn:CN=dev2,CN=Users,DC=secure,DC=local
[78] Read bad password count 0
[78] Binding as dev2
[78] Performing Simple authentication for dev2 to 10.10.2.10
[78] Processing LDAP response for user dev2
[78] Message (dev2):
[78] Authentication successful for dev2 to 10.10.2.10
[78] Retrieved User Attributes:
[78] objectClass: value = top
[78] objectClass: value = person
[78] objectClass: value = organizationalPerson
[78] objectClass: value = user
[78] cn: value = dev2
[78] givenName: value = dev2
[78] distinguishedName: value = CN=dev2,CN=Users,DC=secure,DC=local
[78] instanceType: value = 4
[78] whenCreated: value = 20170404130613.0Z
[78] whenChanged: value = 20170404130613.0Z
[78] displayName: value = dev2
[78] uSNCreated: value = 20524
[78] memberOf: value = CN=DEV,CN=Users,DC=secure,DC=local
[78] mapped to IETF-Radius-Class: value = FC_ANYCONNECT_DEV
[78] mapped to LDAP-Class: value = FC_ANYCONNECT_DEV
[78] uSNChanged: value = 20530
[78] name: value = dev2
[78] objectGUID: value = ..9...,L........
[78] userAccountControl: value = 66048
[78] badPwdCount: value = 0
[78] codePage: value = 0
[78] countryCode: value = 0
[78] badPasswordTime: value = 0
[78] lastLogoff: value = 0
[78] lastLogon: value = 0
[78] pwdLastSet: value = 131357847737535060
[78] primaryGroupID: value = 513
[78] objectSid: value = ............r..`...j.H..Y...
[78] accountExpires: value = 9223372036854775807
[78] logonCount: value = 0
[78] sAMAccountName: value = dev2
[78] sAMAccountType: value = 805306368
[78] userPrincipalName: value = dev2@secure.local
[78] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=secure,D C=local
[78] dSCorePropagationData: value = 20170404130613.0Z
[78] dSCorePropagationData: value = 16010101000000.0Z
[78] Fiber exit Tx=530 bytes Rx=2407 bytes, status=1
[78] Session End
Any help would be great.
thanks
04-04-2017 07:06 AM
Maybe it is failing at some other point. Can you check the syslogs on the ASA to see if something else shows up? Also, run the following debugs when testing a connection:
debug aaa authentication
debug deb aggregate-auth xml 255
04-04-2017 07:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide