Solved: Re: Anyconnect Allowing Unauthorized Uers to Connect - Page 2

Teresa.A.Strickland · ‎04-04-2023

We recently discovered that Anyconnect is allowing unauthorized users to connect. We use ldap strings to establish authorization. I tried setting up dynamic-access-policies to restrict authorization to the ldap strings but even with the permit and then a no access, connection is denied. I set the Permit Ldap DAC to use the ldap string as the filter and set the priority to 0. The no access DAC is set to 1. Can anyone assist?

ldap attribute-map ANYCONNECT
map-name memberOf IETF-Radius-Class
map-value memberOf cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX ANYCONNECT_GP

aaa-server ANYCONNECT_AAA (INSIDE) host 10.104.32.11
timeout 30
server-port 389
ldap-base-dn dc=XXX,dc=XXXXX
ldap-group-base-dn cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXXXXXXXXX
ldap-login-dn XXX\someuserid
server-type microsoft
ldap-attribute-map ANYCONNECT

group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
default-domain value XXX.XXXXX
gateway-fqdn value xxx.vpn.xxx.xx.xx

tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy ANYCONNECT_GP
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias STAFF enable

dynamic-access-policy-record NO_ACCESS
user-message "You are not authorized to connect."
action terminate
priority 1
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record PERMIT_LDAP
user-message "hello"

Rob Ingram · ‎04-06-2023

@Teresa.A.Strickland you received this debug output when you actually logged into AnyConnect or did you just run a aaa authentication test?

I would expect the mapped Group-Policy value to = ANYCONNECT_GP but in your debugs it does not.

[60899] memberOf: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx

Attribute names and values are case sensitive. So you should capitalise the correct characters. I can determine you've defined lower case "u" for example, you'll have to determine the rest. Amend and try again.

map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

Teresa.A.Strickland · ‎04-14-2023

Sorry for the late reply Rob. I've had my hands full.

I also noticed it wasn't picking up the group-policy and I was actually trying to login. Here's the ldap string from the configuration. I'll ask my customer for the exact ldap string to make sure my configuration is the same as AD.

ldap attribute-map ANYCONNECT
  map-name  memberOf Group-Policy
  map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

I also have it in the aaa-server

aaa-server
 ANYCONNECT_AAA (INSIDE) host 10.104.32.11

 ldap-group-base-dn cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP

Rob Ingram · ‎04-14-2023

@Teresa.A.Strickland like I said the u in users in lower case in your configuration, but in the debug output you can confirm it should be a capital U (cn=Users).Not sure about the other characters you masked with xxx.

You have the correct syntax from the debug you took, just check the case of the characters and amend your configuration accordingly.

.

Teresa.A.Strickland · ‎04-14-2023

Thanks Rob. Will do.

Teresa.A.Strickland · ‎04-14-2023

I corrected the U in Users. Still fails.

Teresa.A.Strickland · ‎05-18-2023

You can use the test function with aaa commands to get the correct LDAP string case. Thank you so much for the tip Rob. One would think that the case wouldn't matter especially when it previously worked. IT DOES MATTER THOUGH!