Re: Anyconnect - any domain user authenticates - not using ldap string

Teresa.A.Strickland · ‎03-17-2023

I have over 130 devices where Anyconnect is permitting any domain user to login. We have an ldap string configured but logins aren't being restricted to the AD security group in the ldap string. My devices include FP2110 (ASA not FTD), ASA 5508 and 5516, 5545, 5555, 5585 etc. So it's all different firmwares, mostly 9.16(3), 9.14(4), 9.12(4)52 but all the same version of Anyconnect client.

The configuration I am going to post is a 5545 with 9.14(4) firmware and 4.10.0175 anyconnect client. The client version doesn't seem to matter either since I can authenticate an unauthorized user with the test command. See debug at bottom. Obviously, I have tried to sanitize my configuration and debugs for any real identifying information.

Can anyone lend any insight? Have I missed part of the configuration? Thanks in advance.

ip local pool ANYCONNECT_IP_POOL 192.168.50.1-192.168.50.254 mask 255.255.255.0

ldap attribute-map ANYCONNECT
map-name memberOf IETF-Radius-Class
map-value memberOf cn=AC-VPN,cn=users,dc=abc,dc=local ANYCONNECT_GP

aaa-server ANYCONNECT_AAA protocol ldap
aaa-server ANYCONNECT_AAA (INSIDE) host 10.104.32.11
timeout 30
server-port 389
ldap-base-dn dc=abc,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXXXXXXX
ldap-login-dn abc\abcdomainuser
server-type microsoft
ldap-attribute-map ANYCONNECT

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-macos-4.10.01075-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.01075-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.10.01075-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
gateway-fqdn value abc.vpn.XX.XX.XX

dynamic-access-policy-record DfltAccessPolicy

tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group (outside) ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy ANYCONNECT_GP
authorization-required
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias ABC_Staff enable

HOSTNAME# test aaa-server authorization ANYCONNECT_AAA username$
Server IP Address or name: 10.104.32.11
INFO: Attempting Authorization test to IP address (10.104.32.11) (timeout: 32 seconds)

[-2147483630] Session Start
[-2147483630] New request Session, context 0x00007f1bee03cc70, reqType = Other
[-2147483630] Fiber started
[-2147483630] Creating LDAP context with uri=ldap://10.104.32.11:389
[-2147483630] Connect to LDAP server: ldap://10.104.32.11:389, status = Successful
[-2147483630] supportedLDAPVersion: value = 3
[-2147483630] supportedLDAPVersion: value = 2
[-2147483630] Binding as abc\abcdomainuser
[-2147483630] Performing Simple authentication for abc\abcdomainuser to 10.104.32.11
[-2147483630] LDAP Search:
Base DN = [dc=abc,dc=local]
Filter = [sAMAccountName=test.vpnuser]
Scope = [SUBTREE]
[-2147483630] User DN = [CN=Test VPNUSER,OU=District,OU=Faculty,DC=abc,DC=local]
[-2147483630] Talking to Active Directory server 10.104.32.11
[-2147483630] Reading password policy for test.vpnuser, dn:CN=Test VPNUSER,OU=District,OU=Faculty,DC=abc,DC=local
[-2147483630] Read bad password count 0
[-2147483630] LDAP Search:
Base DN = [dc=abc,dc=local]
Filter = [sAMAccountName=test.vpnuser]
Scope = [SUBTREE]
[-2147483630] Retrieved User Attributes:
[-2147483630] objectClass: value = top
[-2147483630] objectClass: value = person
[-2147483630] objectClass: value = organizationalPerson
[-2147483630] objectClass: value = user
[-2147483630] cn: value = Test VPNUSER
[-2147483630] sn: value = VPNUSER
[-2147483630] givenName: value = Test
[-2147483630] distinguishedName: value = CN=Test VPNUSER,OU=District,OU=Faculty,DC=abc,DC=local
[-2147483630] instanceType: value = 4
[-2147483630] whenCreated: value = 20230317164826.0Z
[-2147483630] whenChanged: value = 20230317164826.0Z
[-2147483630] displayName: value = Test VPNUSER
[-2147483630] uSNCreated: value = 107840416
[-2147483630] uSNChanged: value = 107840422
[-2147483630] name: value = Test VPNUSER
[-2147483630] objectGUID: value = ...U..HG..*'..p.
[-2147483630] userAccountControl: value = 66048
[-2147483630] badPwdCount: value = 0
[-2147483630] codePage: value = 0
[-2147483630] countryCode: value = 0
[-2147483630] homeDirectory: value = \\fileserver\faculty-homes$\test.vpnuser
[-2147483630] homeDrive: value = H:
[-2147483630] badPasswordTime: value = 0
[-2147483630] lastLogoff: value = 0
[-2147483630] lastLogon: value = 0
[-2147483630] pwdLastSet: value = 133235453063036364
[-2147483630] primaryGroupID: value = 513
[-2147483630] objectSid: value = ............N..Q........^K..
[-2147483630] accountExpires: value = 9223372036854775807
[-2147483630] logonCount: value = 0
[-2147483630] sAMAccountName: value = test.vpnuser
[-2147483630] sAMAccountType: value = 805306368
[-2147483630] userPrincipalName: value = test.vpnuser@abc.org
[-2147483630] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[-2147483630] dSCorePropagationData: value = 20230317164826.0Z
[-2147483630] dSCorePropagationData: value = 16010101000000.0Z
[-2147483630] Fiber exit Tx=540 bytes Rx=4339 bytes, status=1
[-2147483630] Session End
INFO: Authorization Successful
HOSTNAME#

Rob Ingram · ‎03-17-2023

@Teresa.A.Strickland as you are using LDAP for authentication you need to define a NOACCESS group policy and set the vpn-simultaneous-logins to 0 and set this group-policy as the default on the tunnel-group. Authenticated users will be assigned the group-policy ANYCONNECT_GP as per your ldap attribute map and allowed access. All other users will match the NOACCESS group-policy and be denied access.

Examples:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#toc-hId--2133036507

https://integratingit.wordpress.com/2020/04/03/asa-remote-access-vpn-using-ldap/

Teresa.A.Strickland · ‎03-17-2023

Thanks for the reply Rob. It's still authenticating. I think I followed your instructions.

HOSTNAME(config-group-policy)# sh run group-po
group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
vpn-simultaneous-logins 0
group-lock value ANYCONNECT_TG
group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
dns-server value 10.104.32.11 10.104.32.16
vpn-simultaneous-logins 0
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 25
vpn-tunnel-protocol ssl-client
group-lock value ANYCONNECT_TG
gateway-fqdn value abc.vpn.XX.XX.XX
APSCN-CHTN-125WMAIN-ASA(config-group-policy)# sh run tunn
APSCN-CHTN-125WMAIN-ASA(config-group-policy)# sh run tunnel-group
tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool ANYCONNECT_IP_POOL
authentication-server-group (outside) ANYCONNECT_AAA
authorization-server-group ANYCONNECT_AAA
default-group-policy NO_ACCESS
authorization-required
tunnel-group ANYCONNECT_TG webvpn-attributes
group-alias Staff enable
HOSTNAME(config-group-policy)#

HOSTNAME(config-group-policy)# sh run dynamic-access-policy-rec$
dynamic-access-policy-record NO_ACCESS_pol
user-message "You are not authorized. Contact your Admin."
action terminate
dynamic-access-policy-record DfltAccessPolicy
HOSTNAME(config-group-policy)#

Rob Ingram · ‎03-17-2023

Enable debugs - debug ldap 255 and test, provide the output for review.

Teresa.A.Strickland · ‎03-17-2023

HOSTNAME(config-group-policy)# test aaa-server authorizat$
Server IP Address or name: 10.104.32.16
INFO: Attempting Authorization test to IP address (10.104.32.16) (timeout: 32 seconds)

[-2147483626] Session Start
[-2147483626] New request Session, context 0x00007f1bee03cc70, reqType = Other
[-2147483626] Fiber started
[-2147483626] Creating LDAP context with uri=ldap://10.104.32.16:389
[-2147483626] Connect to LDAP server: ldap://10.104.32.16:389, status = Successful
[-2147483626] supportedLDAPVersion: value = 3
[-2147483626] supportedLDAPVersion: value = 2
[-2147483626] Binding as abc\abcdomainuser
[-2147483626] Performing Simple authentication for abc\abcdomainuser to 10.104.32.16
[-2147483626] LDAP Search:
Base DN = [dc=abc,dc=local]
Filter = [sAMAccountName=test.vpnuser]
Scope = [SUBTREE]
[-2147483626] User DN = [CN=Test VPNUSER,OU=District,OU=Faculty,DC=abc,DC=local]
[-2147483626] Talking to Active Directory server 10.104.32.16
[-2147483626] Reading password policy for test.vpnuser, dn:CN=Test VPNUSER,OU=District,OU=Faculty,DC=abc,DC=local
[-2147483626] LDAP Search:
Base DN = [dc=csd,dc=local]
Filter = [sAMAccountName=test.vpnuser]
Scope = [SUBTREE]
[-2147483626] Retrieved User Attributes:
[-2147483626] objectClass: value = top
[-2147483626] objectClass: value = person
[-2147483626] objectClass: value = organizationalPerson
[-2147483626] objectClass: value = user
[-2147483626] cn: value = Test VPNUSER
[-2147483626] sn: value = VPNUSER
[-2147483626] givenName: value = Test
[-2147483626] distinguishedName: value = CN=Test VPNUSER,OU=District,OU=Faculty,DC=csd,DC=local
[-2147483626] instanceType: value = 4
[-2147483626] whenCreated: value = 20230317164826.0Z
[-2147483626] whenChanged: value = 20230317164827.0Z
[-2147483626] displayName: value = Test VPNUSER
[-2147483626] uSNCreated: value = 39484056
[-2147483626] uSNChanged: value = 39484056
[-2147483626] name: value = Test VPNUSER
[-2147483626] objectGUID: value = ...U..HG..*'..p.
[-2147483626] userAccountControl: value = 66048
[-2147483626] codePage: value = 0
[-2147483626] countryCode: value = 0
[-2147483626] homeDirectory: value = \\fileserver\faculty-homes$\test.vpnuser
[-2147483626] homeDrive: value = H:
[-2147483626] pwdLastSet: value = 133235453063036364
[-2147483626] primaryGroupID: value = 513
[-2147483626] objectSid: value = ............N..Q........^K..
[-2147483626] accountExpires: value = 9223372036854775807
[-2147483626] sAMAccountName: value = test.vpnuser
[-2147483626] sAMAccountType: value = 805306368
[-2147483626] userPrincipalName: value = test.vpnuser@tigersmail.org
[-2147483626] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=csd,DC=local
[-2147483626] dSCorePropagationData: value = 16010101000000.0Z
[-2147483626] Fiber exit Tx=540 bytes Rx=3989 bytes, status=1
[-2147483626] Session End
INFO: Authorization Successful
HOSTNAME(config-group-policy)#

Rob Ingram · ‎03-17-2023

@Teresa.A.Strickland I don't think run that aaa server test is representative of logging in to the RAVPN, that just proves authentication works against LDAP.

Login to the VPN using anyconnect, if it still does not work as intended run provide the debug output.

If the user can still login please provide the output of "show vpn-sessiondb detail anyconnect filter name <USERNAME>"

Teresa.A.Strickland · ‎03-17-2023

Thanks Rob. I'll definitely do that and I appreciate your help. I need one of my co-workers to debug while I attempt access. It will be next week since everyone is gone for the week now.