04-04-2023 08:18 AM
We recently discovered that Anyconnect is allowing unauthorized users to connect. We use ldap strings to establish authorization. I tried setting up dynamic-access-policies to restrict authorization to the ldap strings but even with the permit and then a no access, connection is denied. I set the Permit Ldap DAC to use the ldap string as the filter and set the priority to 0. The no access DAC is set to 1. Can anyone assist?
ldap attribute-map ANYCONNECT
map-name memberOf IETF-Radius-Class
map-value memberOf cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX ANYCONNECT_GP
aaa-server ANYCONNECT_AAA (INSIDE) host 10.104.32.11
timeout 30
server-port 389
ldap-base-dn dc=XXX,dc=XXXXX
ldap-group-base-dn cn=AC-VPN,cn=users,dc=XXX,dc=XXXXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXXXXXXXXX
ldap-login-dn XXX\someuserid
server-type microsoft
ldap-attribute-map ANYCONNECT
group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
default-domain value XXX.XXXXX
gateway-fqdn value xxx.vpn.xxx.xx.xx
tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy ANYCONNECT_GP
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias STAFF enable
dynamic-access-policy-record NO_ACCESS
user-message "You are not authorized to connect."
action terminate
priority 1
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record PERMIT_LDAP
user-message "hello"
Solved! Go to Solution.
04-06-2023 09:39 AM - edited 04-06-2023 10:11 AM
@Teresa.A.Strickland you received this debug output when you actually logged into AnyConnect or did you just run a aaa authentication test?
I would expect the mapped Group-Policy value to = ANYCONNECT_GP but in your debugs it does not.
[60899] memberOf: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
[60899] mapped to Group-Policy: value = CN=AC-VPN,CN=Users,DC=xxx,DC=xxxxx
Attribute names and values are case sensitive. So you should capitalise the correct characters. I can determine you've defined lower case "u" for example, you'll have to determine the rest. Amend and try again.
map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP
04-14-2023 12:47 PM
Sorry for the late reply Rob. I've had my hands full.
I also noticed it wasn't picking up the group-policy and I was actually trying to login. Here's the ldap string from the configuration. I'll ask my customer for the exact ldap string to make sure my configuration is the same as AD.
ldap attribute-map ANYCONNECT map-name memberOf Group-Policy map-value memberOf cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP
I also have it in the aaa-server
aaa-server
ANYCONNECT_AAA (INSIDE) host 10.104.32.11
ldap-group-base-dn cn=AC-VPN,cn=users,dc=xxx,dc=xxxxx ANYCONNECT_GP
04-14-2023 12:59 PM
@Teresa.A.Strickland like I said the u in users in lower case in your configuration, but in the debug output you can confirm it should be a capital U (cn=Users).Not sure about the other characters you masked with xxx.
You have the correct syntax from the debug you took, just check the case of the characters and amend your configuration accordingly.
.
04-14-2023 01:03 PM
Thanks Rob. Will do.
04-14-2023 02:19 PM
I corrected the U in Users. Still fails.
05-18-2023 10:06 AM
You can use the test function with aaa commands to get the correct LDAP string case. Thank you so much for the tip Rob. One would think that the case wouldn't matter especially when it previously worked. IT DOES MATTER THOUGH!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide