Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3087
Views
0
Helpful
5
Replies

Anyconnect dynamic address pool

Go to solution
Rolando Valenzuela
Level 4
Level 4

‎02-26-2016 02:09 PM - edited ‎02-21-2020 08:42 PM

It is possible using DAP to assign different address pool for anyconnect users?

Currently I'm checking if the PC has some elements like process, register key and applications enabled.

If Yes -> Uses ACL "Allow normal access"

If Not -> Uses ACL "Restricted access"

Which works, but both computers uses the client address pool set under the Tunnel configuration

      tunnel-group remoteaccess general-attributes
        address-pool  remoteaccess-pool1

It is possible to also dynamically set the address pool?

If Yes -> Uses ACL "Allow normal access" & "remoteaccess-pool1"

If Not -> Uses ACL "Restricted access" & "remoteaccess-pool2"

Thank you!

Rolando A. Valenzuela.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Castro F.
Spotlight
Spotlight
In response to Rolando Valenzuela

‎03-05-2016 07:30 PM

Hello Rolando,

Correct me if I am wrong, based on the Computer(Domain where it belongs) you would like to map that to certain group policy, which will have certain attributes such as address pool, and that way you may differentiate, one domain to another, let's say: 
(Admins/Domain gets address pool of 10.10.10.0/24)
(Vendors/Domain gets address pool of 10.20.20.0/24)

Based on this I will give you my recommendations, if you want to do it based on the computer and not the user, I would recommend to get all the computers into the same Users group in Active Directory, so If you have a group of users (Admin/ Domain group)you may add the computers there, and with the LDAP attribute Mapping you will be able to map based on Membership to certain group Policy, that way all of the computers that the Admin users use, will be assigned to a group policy with several attributes such as the IP local Pool, if the users dont below to any of the groups announced, they wont be able to connect whatsoever, because you will need to create a NO-ACCESS group policy which will be used for the users that should not connect, You may find further information here:

- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Another way, will be filtering the PCs based on MAC address OUI this function uses a regular expression in order to match the organizationally unique identifier (OUI) that will allowed the PCs to connect if those match the OUI defined in the regular expression with LUA regular expression this is possible, you may find this regular expression for example:

assert(function ()
    local pattern = "^d067\.e5*"
    local true_on_match = true

    local match = false
    for k,v in pairs(endpoint.device.MAC) do
        print(k)
        match = string.find(k, pattern)
        if (match) then
            if (true_on_match) then
                return true
            else return (false)
            end
        end
    end
end)()

So if the PCs are HP or Dell you may used the OUI part of the MAC address and define it over there, and Allow the user to connect and the user can then be mapped with the LDAP attribute Mapping to a group policy and they will be able to connect with a different IP address. (DAP cannot Assign IP address), it is a Dynamic Access Policy which works along with HostScan Posture Module in order to do Pre-assessment and as it says Posture Module,

NOTE: The DAP itself gives you the option to filter by individual MAC address, so you dont need to do it by OUI, this is common for big companies that have a big amount of users so they prefer doing it by OUI which is easier, but you may define the individual MAC addresses

Another way will be to use another regular expression so the DAP can examine the 3 first letters (Case Insensitive) of the PC and then allow it to connect if it matches the regular expression, if it does not, the connection will be terminated, you may find the regular expression here:

assert(function()
    local match_pattern = "^[Mm][Ss][Vv]"         -> Those are the 3 first letters
    local match_value   = endpoint.device.hostname  --> Specifying hostname  
    if (type(match_value) == "string") then
        if (string.find(match_value, match_pattern) ~= nil) then
            return true
        end
    elseif (type(match_value) == "table") then
        local k,v
        for k,v in pairs(match_value) do
            if (string.find(v, match_pattern) ~= nil) then
                return true
            end
        end
    end
    return false
end)()

Further LUA regular expressions:

- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html

For this to work you need AnyConnect Premium License (so yes you can use the two Default that comes with the ASA).

Also, you need to have CSD or Hostscan image in the ASA and enabled so you can get that kind of information from the computers that connects with the AnyConnect.

You can use the AnyConnect image as hostscan image. (remember to enable Endpoint Attributes through ASDM in the CSD section, otherwise this is not going to work).

The previous mentioned are good options for you to explore, but it's not going to be very scalable(Depending on how many users), so I recommend that a registry key check with "Domain Name" or file check would work best but its your CUs call whether he still wants MAC check or not.

Please dont forget to rate and mark as correct this post if it helped, keep me posted!

Regards,

David Castro,

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rohan Padwal
Level 1
Level 1

‎02-26-2016 10:48 PM

Hello,

yes this should be possible

1. follow below doc to configure basic LDAP and attrib map

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

2.under group-policy call the respective vpn pool

Eg:

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

#Rohan

0 Helpful

Go to solution
Rolando Valenzuela
Level 4
Level 4
In response to Rohan Padwal

‎02-27-2016 09:06 AM

Thanks for that suggestion. What I'm trying to discriminate are computers and not users, if the computer is part of the domain or not, right now I'm doing it with DAP + RegCheck but from DAP I cannot set a different address pool.

I will check if I can scan the computer using the LDAP attributes.

If you have any other suggestions you are welcome to share it :)

Thanks again.

Rolando A. Valenzuela.

0 Helpful

Go to solution
David Castro F.
Spotlight
Spotlight
In response to Rolando Valenzuela

‎03-05-2016 07:30 PM

Hello Rolando,

Correct me if I am wrong, based on the Computer(Domain where it belongs) you would like to map that to certain group policy, which will have certain attributes such as address pool, and that way you may differentiate, one domain to another, let's say: 
(Admins/Domain gets address pool of 10.10.10.0/24)
(Vendors/Domain gets address pool of 10.20.20.0/24)

Based on this I will give you my recommendations, if you want to do it based on the computer and not the user, I would recommend to get all the computers into the same Users group in Active Directory, so If you have a group of users (Admin/ Domain group)you may add the computers there, and with the LDAP attribute Mapping you will be able to map based on Membership to certain group Policy, that way all of the computers that the Admin users use, will be assigned to a group policy with several attributes such as the IP local Pool, if the users dont below to any of the groups announced, they wont be able to connect whatsoever, because you will need to create a NO-ACCESS group policy which will be used for the users that should not connect, You may find further information here:

- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Another way, will be filtering the PCs based on MAC address OUI this function uses a regular expression in order to match the organizationally unique identifier (OUI) that will allowed the PCs to connect if those match the OUI defined in the regular expression with LUA regular expression this is possible, you may find this regular expression for example:

assert(function ()
    local pattern = "^d067\.e5*"
    local true_on_match = true

    local match = false
    for k,v in pairs(endpoint.device.MAC) do
        print(k)
        match = string.find(k, pattern)
        if (match) then
            if (true_on_match) then
                return true
            else return (false)
            end
        end
    end
end)()

So if the PCs are HP or Dell you may used the OUI part of the MAC address and define it over there, and Allow the user to connect and the user can then be mapped with the LDAP attribute Mapping to a group policy and they will be able to connect with a different IP address. (DAP cannot Assign IP address), it is a Dynamic Access Policy which works along with HostScan Posture Module in order to do Pre-assessment and as it says Posture Module,

NOTE: The DAP itself gives you the option to filter by individual MAC address, so you dont need to do it by OUI, this is common for big companies that have a big amount of users so they prefer doing it by OUI which is easier, but you may define the individual MAC addresses

Another way will be to use another regular expression so the DAP can examine the 3 first letters (Case Insensitive) of the PC and then allow it to connect if it matches the regular expression, if it does not, the connection will be terminated, you may find the regular expression here:

assert(function()
    local match_pattern = "^[Mm][Ss][Vv]"         -> Those are the 3 first letters
    local match_value   = endpoint.device.hostname  --> Specifying hostname  
    if (type(match_value) == "string") then
        if (string.find(match_value, match_pattern) ~= nil) then
            return true
        end
    elseif (type(match_value) == "table") then
        local k,v
        for k,v in pairs(match_value) do
            if (string.find(v, match_pattern) ~= nil) then
                return true
            end
        end
    end
    return false
end)()

Further LUA regular expressions:

- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html

For this to work you need AnyConnect Premium License (so yes you can use the two Default that comes with the ASA).

Also, you need to have CSD or Hostscan image in the ASA and enabled so you can get that kind of information from the computers that connects with the AnyConnect.

You can use the AnyConnect image as hostscan image. (remember to enable Endpoint Attributes through ASDM in the CSD section, otherwise this is not going to work).

The previous mentioned are good options for you to explore, but it's not going to be very scalable(Depending on how many users), so I recommend that a registry key check with "Domain Name" or file check would work best but its your CUs call whether he still wants MAC check or not.

Please dont forget to rate and mark as correct this post if it helped, keep me posted!

Regards,

David Castro,

0 Helpful

Go to solution
Rolando Valenzuela
Level 4
Level 4
In response to David Castro F.

‎03-07-2016 12:54 PM

Amazing! It wont be easy, but I will give it a try.

Thanks!

0 Helpful

Go to solution
David Castro F.
Spotlight
Spotlight
In response to Rolando Valenzuela

‎03-07-2016 03:03 PM

Certainly, but It will get you the results, you are looking for, if you have questions down the road let me know!

Regards,

David Castro,

0 Helpful
Customers Also Viewed These Support Documents