Solved: Re: Anyconnect Allowing Unauthorized Uers to Connect

Teresa.A.Strickland · ‎04-04-2023

We recently discovered that Anyconnect is allowing unauthorized users to connect. We use ldap strings to establish authorization. I tried setting up dynamic-access-policies to restrict authorization to the ldap strings but even with the permit and then a no access, connection is denied. I set the Permit Ldap DAC to use the ldap string as the filter and set the priority to 0. The no access DAC is set to 1. Can anyone assist?

ldap attribute-map ANYCONNECT
map-name memberOf IETF-Radius-Class
map-value memberOf cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX ANYCONNECT_GP

aaa-server ANYCONNECT_AAA (INSIDE) host 10.104.32.11
timeout 30
server-port 389
ldap-base-dn dc=XXX,dc=XXXXX
ldap-group-base-dn cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXXXXXXXXX
ldap-login-dn XXX\someuserid
server-type microsoft
ldap-attribute-map ANYCONNECT

group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
default-domain value XXX.XXXXX
gateway-fqdn value xxx.vpn.xxx.xx.xx

tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy ANYCONNECT_GP
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias STAFF enable

dynamic-access-policy-record NO_ACCESS
user-message "You are not authorized to connect."
action terminate
priority 1
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record PERMIT_LDAP
user-message "hello"

Rob Ingram · ‎04-14-2023

@Teresa.A.Strickland like I said the u in users in lower case in your configuration, but in the debug output you can confirm it should be a capital U (cn=Users).Not sure about the other characters you masked with xxx.

You have the correct syntax from the debug you took, just check the case of the characters and amend your configuration accordingly.

.

View solution in original post

Teresa.A.Strickland · ‎04-04-2023

I wanted to add clarification that as long as a user is a member of the domain but not a member of the security group in the ldap string, they are still able to login.

Rob Ingram · ‎04-04-2023

@Teresa.A.Strickland your default group policy is ANYCONNECT_GP that is allowing connections for successful authentications. Your default group policy needs to be a NOACCESS group policy (as per example in the link below), this group policy would be configured with "vpn-simultaneous-logins 0". Authenticated/Authorised users that are a member of the correct group are assigned the group policy ANYCONNECTGP using the map-value command.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#toc-hId--2133036507

Teresa.A.Strickland · ‎04-04-2023

Thanks for the reply Rob. I'm getting "Login denied, unauthorized connection mechanism". I tried with and without the dynamic-access-policy.

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-clientless
group-policy NO_ACCESS internal
group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
default-domain value XXX.XXXXX
gateway-fqdn value XXX.XXX.XXX.XX.XX

tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group ANYCONNECT_AAA
authentication-server-group (INSIDE) ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy NO_ACCESS
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias STAFF enable

Rob Ingram · ‎04-04-2023

@Teresa.A.Strickland turn on debugs - debug ldap 255 - test with an account that should work and another that should not be allowed, provide the output.

Provide a screenshot of the anyconnect client error you receive

Teresa.A.Strickland · ‎04-06-2023

Sorry for the delay. I had my hands full the last few days.

[59853] Session Start
[59853] New request Session, context 0x00007fcdc6a41eb8, reqType = Other
[59853] Fiber started
[59853] Creating LDAP context with uri=ldap://10.104.32.11:389
[59853] Connect to LDAP server: ldap://10.104.32.11:389, status = Successful
[59853] supportedLDAPVersion: value = 3
[59853] supportedLDAPVersion: value = 2
[59853] Binding as xxx\xxxxxxxxx
[59853] Performing Simple authentication for xxx\xxxxxxxxx to 10.104.32.11
[59853] LDAP Search:
Base DN = [dc=xxx,dc=xxxxx]
Filter = [sAMAccountName=teresa.S]
Scope = [SUBTREE]
[59853] User DN = [CN=Teresas,OU=S Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx]
[59853] Talking to Active Directory server 10.104.32.11
[59853] Reading password policy for teresa.S, dn:CN=Teresas,OU=S Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[59853] Read bad password count 0
[59853] LDAP Search:
Base DN = [dc=xxx,dc=xxxxx]
Filter = [sAMAccountName=teresa.S]
Scope = [SUBTREE]
[59853] Retrieved User Attributes:
[59853] objectClass: value = top
[59853] objectClass: value = person
[59853] objectClass: value = organizationalPerson
[59853] objectClass: value = user
[59853] cn: value = Teresas
[59853] sn: value = S
[59853] givenName: value = Teresa
[59853] distinguishedName: value = CN=Teresas,OU=S Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[59853] instanceType: value = 4
[59853] whenCreated: value = 20230315201929.0Z
[59853] whenChanged: value = 20230403194543.0Z
[59853] displayName: value = Teresas
[59853] uSNCreated: value = 107638022
[59853] memberOf: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[59853] mapped to IETF-Radius-Class: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[59853] mapped to LDAP-Class: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[59853] uSNChanged: value = 109800523
[59853] name: value = Teresas
[59853] objectGUID: value = U..-...L.X.iH,..
[59853] userAccountControl: value = 66048
[59853] badPwdCount: value = 0
[59853] codePage: value = 0
[59853] countryCode: value = 0
[59853] homeDirectory: value = \\fileserver\staff-homes$\teresa.S
[59853] homeDrive: value = H:
[59853] badPasswordTime: value = 0
[59853] lastLogoff: value = 0
[59853] lastLogon: value = 0
[59853] logonHours: value = .....................
[59853] pwdLastSet: value = 133233851694914996
[59853] primaryGroupID: value = 513
[59853] objectSid: value = ............N..Q........]K..
[59853] accountExpires: value = 0
[59853] logonCount: value = 0
[59853] sAMAccountName: value = teresa.S
[59853] sAMAccountType: value = 805306368
[59853] userPrincipalName: value = teresa.S@xxx.xxxxx
[59853] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[59853] msNPAllowDialin: value = TRUE
[59853] dSCorePropagationData: value = 20230403194543.0Z
[59853] dSCorePropagationData: value = 20230327141922.0Z
[59853] dSCorePropagationData: value = 20230327135317.0Z
[59853] dSCorePropagationData: value = 20230327135312.0Z
[59853] dSCorePropagationData: value = 16010102122432.0Z
[59853] lastLogonTimestamp: value = 133246944603505838
[59853] Fiber exit Tx=576 bytes Rx=5261 bytes, status=1
[59853] Session End

Rob Ingram · ‎04-06-2023

@Teresa.A.Strickland change...

ldap attribute-map ANYCONNECT
 map-name memberOf Group-Policy

and then try again, provide the debugs again if required.

Teresa.A.Strickland · ‎04-06-2023

I already have it on the memberof ldap line if that's what you meant. Doesn't seem like it is picking it up. I also tried it in the aaa-server configuration and it's still no dice.

ldap attribute-map ANYCONNECT
map-name memberOf IETF-Radius-Class
map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

aaa-server ANYCONNECT_AAA (INSIDE) host 10.104.32.11
timeout 30
server-port 389
ldap-base-dn dc=xxx,dc=xxxxx
ldap-group-base-dn cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn xxx\xxxxxxx
server-type microsoft
ldap-attribute-map ANYCONNECT

Teresa.A.Strickland · ‎04-06-2023

I would ask if it's a bug but we are seeing it across 130 different cisco devices, all different firmwares and hardwares.

Rob Ingram · ‎04-06-2023

@Teresa.A.Strickland no, you have this:-

ldap attribute-map ANYCONNECT
 map-name memberOf IETF-Radius-Class
 map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

I suggested trying this:-

ldap attribute-map ANYCONNECT
 map-name memberOf Group-Policy
 map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

Example

Teresa.A.Strickland · ‎04-06-2023

Also, I forgot to post the user who shouldn't have access. It still gets the same error now but can also login when I revert to the old configuration.

[60565] Session Start
[60565] New request Session, context 0x00007fcdc6a41eb8, reqType = Authentication
[60565] Fiber started
[60565] Creating LDAP context with uri=ldap://10.104.32.11:389
[60565] Connect to LDAP server: ldap://10.104.32.11:389, status = Successful
[60565] supportedLDAPVersion: value = 3
[60565] supportedLDAPVersion: value = 2
[60565] Binding as xxx\xxxxxxx
[60565] Performing Simple authentication for xxx\xxxxxxx to 10.104.32.11
[60565] LDAP Search:
Base DN = [dc=xxx,dc=xxxxx]
Filter = [sAMAccountName=noaccess]
Scope = [SUBTREE]
[60565] User DN = [CN=T S,OU=S Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxxx]
[60565] Talking to Active Directory server 10.104.32.11
[60565] Reading password policy for noaccess, dn:CN=T S,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxxx
[60565] Read bad password count 0
[60565] Binding as noaccess
[60565] Performing Simple authentication for noaccess to 10.104.32.11
[60565] Processing LDAP response for user noaccess
[60565] Message (noaccess):
[60565] Authentication successful for noaccess to 10.104.32.11
[60565] Retrieved User Attributes:
[60565] objectClass: value = top
[60565] objectClass: value = person
[60565] objectClass: value = organizationalPerson
[60565] objectClass: value = user
[60565] cn: value = T S
[60565] sn: value = S
[60565] givenName: value = T
[60565] distinguishedName: value = CN=T S,OU=S Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60565] instanceType: value = 4
[60565] whenCreated: value = 20230330184111.0Z
[60565] whenChanged: value = 20230403194536.0Z
[60565] displayName: value = T S
[60565] uSNCreated: value = 109353278
[60565] memberOf: value = CN=Sync,DC=xxx,DC=xxxxx
[60565] mapped to IETF-Radius-Class: value = CN=Sync,DC=xxx,DC=xxxxx
[60565] mapped to LDAP-Class: value = CN=Sync,DC=xxx,DC=xxxxx
[60565] memberOf: value = CN=staff,CN=Users,DC=xxx,DC=xxxxx
[60565] mapped to IETF-Radius-Class: value = CN=STAFF,CN=Users,DC=xxx,DC=xxxxx
[60565] mapped to LDAP-Class: value = CN=staff,CN=Users,DC=xxx,DC=xxxxx
[60565] uSNChanged: value = 109800520
[60565] name: value = T S
[60565] objectGUID: value = .F.Zw..E..e.....
[60565] userAccountControl: value = 66048
[60565] badPwdCount: value = 0
[60565] codePage: value = 0
[60565] countryCode: value = 0
[60565] homeDirectory: value = \\fileserver\staff-homes$\noaccess
[60565] homeDrive: value = H:
[60565] badPasswordTime: value = 0
[60565] lastLogoff: value = 0
[60565] lastLogon: value = 0
[60565] logonHours: value = .....................
[60565] pwdLastSet: value = 133246752714803720
[60565] primaryGroupID: value = 513
[60565] objectSid: value = ............N..Q........eK..
[60565] accountExpires: value = 0
[60565] logonCount: value = 0
[60565] sAMAccountName: value = noaccess
[60565] sAMAccountType: value = 805306368
[60565] userPrincipalName: value = noaccess@xxx.xxxxx
[60565] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[60565] msNPAllowDialin: value = TRUE
[60565] dSCorePropagationData: value = 20230403194536.0Z
[60565] dSCorePropagationData: value = 20230330184111.0Z
[60565] dSCorePropagationData: value = 16010101000000.0Z
[60565] lastLogonTimestamp: value = 133246952123883463
[60565] Fiber exit Tx=584 bytes Rx=2939 bytes, status=1
[60565] Session End

Teresa.A.Strickland · ‎04-06-2023

Thanks Rob. Same error. I checked back over my tunnel-group and group-policy for any misconfigurations. I had another group-policy called NO_ACCESS applied. I have corrected it now. I am just getting login failed now. Debugs look the same however.

ldap attribute-map ANYCONNECT
map-name memberOf Group-Policy

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-clientless

group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
default-domain value xxx.xxxxx
gateway-fqdn value xxx.xxx.xxx.xx.xx

tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group ANYCONNECT_AAA
authentication-server-group (INSIDE) ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy NOACCESS
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias Staff enable

Rob Ingram · ‎04-06-2023

@Teresa.A.Strickland you now appear to be missing part of the configuration, highlighted below in bold.

ldap attribute-map ANYCONNECT
 map-name memberOf Group-Policy
 map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

Teresa.A.Strickland · ‎04-06-2023

Login failed.

[60899] Session Start
[60899] New request Session, context 0x00007fcdc6a41eb8, reqType = Authentication
[60899] Fiber started
[60899] Creating LDAP context with uri=ldap://10.104.32.11:389
[60899] Connect to LDAP server: ldap://10.104.32.11:389, status = Successful
[60899] supportedLDAPVersion: value = 3
[60899] supportedLDAPVersion: value = 2
[60899] Binding as xxx\xxxxxxxx
[60899] Performing Simple authentication for xxx\xxxxxxxx to 10.104.32.11
[60899] LDAP Search:
Base DN = [dc=xxx,dc=xxxxx]
Filter = [sAMAccountName=teresa.s]
Scope = [SUBTREE]
[60899] User DN = [CN=Teresa s,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx]
[60899] Talking to Active Directory server 10.104.32.11
[60899] Reading password policy for teresa.s, dn:CN=Teresa s,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60899] Read bad password count 0
[60899] Binding as teresa.s
[60899] Performing Simple authentication for teresa.s to 10.104.32.11
[60899] Processing LDAP response for user teresa.s
[60899] Message (teresa.s):
[60899] Authentication successful for teresa.s to 10.104.32.11
[60899] Retrieved User Attributes:
[60899] objectClass: value = top
[60899] objectClass: value = person
[60899] objectClass: value = organizationalPerson
[60899] objectClass: value = user
[60899] cn: value = Teresa s
[60899] sn: value = s
[60899] givenName: value = Teresa
[60899] distinguishedName: value = CN=Teresa s,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60899] instanceType: value = 4
[60899] whenCreated: value = 20230315201929.0Z
[60899] whenChanged: value = 20230403194543.0Z
[60899] displayName: value = Teresa s
[60899] uSNCreated: value = 107638022
[60899] memberOf: value = CN=sVPNTEST,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=sVPNTEST,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60899] mapped to LDAP-Class: value = CN=sVPNTEST,OU=s Testing,OU=IT,OU=Domain Users,DC=xxx,DC=xxxxx
[60899] memberOf: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to LDAP-Class: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[60899] memberOf: value = CN=Sync,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=Sync,DC=xxx,DC=xxxxx
[60899] mapped to LDAP-Class: value = CN=Sync,DC=xxx,DC=xxxxx
[60899] memberOf: value = CN=staff,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=staff,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to LDAP-Class: value = CN=staff,CN=Users,DC=xxx,DC=xxxxx
[60899] uSNChanged: value = 109800523
[60899] name: value = Teresa s
[60899] objectGUID: value = U..-...L.X.iH,..
[60899] userAccountControl: value = 66048
[60899] badPwdCount: value = 0
[60899] codePage: value = 0
[60899] countryCode: value = 0
[60899] homeDirectory: value = \\fileserver\staff-homes$\teresa.s
[60899] homeDrive: value = H:
[60899] badPasswordTime: value = 0
[60899] lastLogoff: value = 0
[60899] lastLogon: value = 0
[60899] logonHours: value = .....................
[60899] pwdLastSet: value = 133233851694914996
[60899] primaryGroupID: value = 513
[60899] objectSid: value = ............N..Q........]K..
[60899] accountExpires: value = 0
[60899] logonCount: value = 0
[60899] sAMAccountName: value = teresa.s
[60899] sAMAccountType: value = 805306368
[60899] userPrincipalName: value = teresa.s@xxx.xxxxx
[60899] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[60899] msNPAllowDialin: value = TRUE
[60899] dSCorePropagationData: value = 20230403194543.0Z
[60899] dSCorePropagationData: value = 20230327141922.0Z
[60899] dSCorePropagationData: value = 20230327135317.0Z
[60899] dSCorePropagationData: value = 20230327135312.0Z
[60899] dSCorePropagationData: value = 16010102122432.0Z
[60899] lastLogonTimestamp: value = 133246944603505838
[60899] Fiber exit Tx=603 bytes Rx=3157 bytes, status=1
[60899] Session End

Teresa.A.Strickland · ‎04-06-2023

Reposting the ldap string. It is as you asked now. 
ldap attribute-map ANYCONNECT
 map-name memberOf Group-Policy
 map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP