We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA. We also use DUO for MFA in AnyConnect connections. This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.
We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.
However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA. The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."
Has anyone else run into this situation? Any suggestions?
We switched the LDAP AAA attribute mapping to use LDAP authorization instead of authentication.
Works perfectly now, and no more confusing AnyConnect MFA interface.
We basically followed this document:
The key for us was to set the AAA server for the SAML profile to use authorization i/of authentication:
tunnel-group SAML general-attributes
aaa-server LDAP_SECURE (inside) host x.x.x.x
ldap attribute-map Test-Group-Assignment
map-name VPNGroup Group-Policy
map-value TEST Test-Group-Assignment
Sorry, accidentally posted before adding the link to the document:
Note that even though the documentation says 'clientless' it does indeed work with AnyConnect clients.
The other key thing I would point out is that if you change any part of the SAML Identity provider configuration you need to remove the SAML config from the Profile configuration and re-apply it. This is a bug.
You also need to be at ASA version 188.8.131.52 (or later)
Let me know know if you have any other questions.
This document; please see my follow -up post as well:
I'm trying to set this up in my environment, but I am more familiar with ASDM than the CLI. I'm wondering if you might be able to provide some additional instructions to set this up in the ASDM?
I have the SAML authentication working (with Duo MFA), however when I try to add any of the LDAP attribute maps to map an AD group to an ASA group policy it doesn't appear to do anything since I always get the group policy assigned to the Anyconnect profile I'm using.
Thanks for any help you can provide!
Were the LDAP attribute maps working previously? Eg. before you set up the SAML authentication? Or is this a new configuration?
And you have configured the LDAP attribute map in the profile as AAA authorization, yes?
It would be very helpful for you to login to the ASA command line and do AAA debugging; that will show you what values are being returned from the AD server; your issue could be there as well.
Debug aaa authorization
After looking at other configuration tutorials I found that I might need to set up a "no access" group policy and configure it as the default policy for my tunnel group profile. However, I tried this and it still didn't work. I'm curious if you needed to configure a "no access" default policy for the SAML profile?
The following is my sanitized configuration and some debugs if it helps. I’m wondering if the issue might be that ADFS is sending my username back as email@example.com instead of just username?
Campus-ASA# sh run aaa-server UNW-AD
aaa-server UNW-AD protocol ldap
aaa-server UNW-AD (Inside) host 10.10.10.10
Campus-ASA# sh run ldap attribute-map UNWMFA-VPNAcess
map-name memberOf Group-Policy
map-value memberOf cn=VPNAccess,ou=groups,dc=emp,dc=company,dc=com NWCVPN
Campus-ASA# sh run group-policy NWCVPN
group-policy NWCVPN internal
group-policy NWCVPN attributes
dns-server value 10.10.10.11 10.10.10.12
vpn-filter value VPN-in
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-network-list value VPN-in
default-domain value emp.company.com
address-pools value VPN-DHCP
Campus-ASA# sh run tunnel-group UNWMFA
tunnel-group UNWMFA type remote-access
tunnel-group UNWMFA general-attributes
tunnel-group UNWMFA webvpn-attributes
group-alias UNWMFA enable
group-url https://vpn.company.com/saml enable
saml identity-provider http://adfs.company.com/adfs/services/trust
Campus-ASA# show run group-policy NoAccess
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 10.10.10.11
Campus-ASA# debug dap trace 255
Campus-ASA# debug webvpn saml 255
Campus-ASA# debug aaa authorization
Campus-ASA# Nov 12 10:52:40
https:// adfs.company.com /adfs/ls/?SAMLRequest=fVFda4M********************3D%3D
[SAML] saml_is_idp_internal: getting SAML config for tg UNWMFA
SAML AUTH: SAML hash table cleanup periodic task
Nov 12 10:53:09
12 10:53:09 [SAML] NotBefore:2019-11-12T16:53:09.277Z NotOnOrAfter:2019-11-12T17:53:09.277Z timeout: 300
Nov 12 10:53:09 [SAML] consume_assertion: <Session xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2"><Assertion RemoteProviderID="http://***********/adfs/services/trust"><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_************-9f17-082d486c6e08" IssueInstant="2019-11-12T16:53:09.277Z" Version="2.0"><Issuer>http:// adfs.company.com /adfs/services/trust</Issuer><ds:Signature xmlns:ds="***************:SAML:1.1:nameid-format:unspecified">firstname.lastname@example.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6B27A7A**********B4E" NotOnOrAfter="2019-11-12T16:58:09.277Z" Recipient="https://vpn.company.com/+CSCOE+/saml/sp/acs?tgname=UNWMFA"/></SubjectConfirmation></Subject><Conditions NotBefore="2019-11-12T16:53:09.277Z" NotOnOrAfter="2019-11-12T17:53:09.277Z"><AudienceRestriction><Audience>https://vpn.company.com/saml/sp/metadata/UNWMFA</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>email@example.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>firstname.lastname@example.org</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2019-11-12T16:53:00.877Z" SessionIndex="_**************-9f17-082d486c6e08"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Assertion><NidAndSessionIndex ProviderID="http://adfs.company.com/adfs/services/trust" AssertionID="_******************" SessionIndex="_*****************">
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unNov 12 10:53:09
[saml] webvpn_login_primary_username: SAML assertion validation succeeded
Start timer for verifying token 7********************
Username "email@example.com" added to list with token 7**************
saml_auth_is_valid_token: SAML ac token being looked 7*************
saml_ac_v2_process_auth_request: SAML ac token being looked 7************
SAML AUTH: authentication success
 Session Start
 New request Session, context 0x00007****0, reqType = Other
 Fiber started
 Creating LDAP context with uri=ldaps://10.10.10.10:****
 Connect to LDAP server: ldaps://10.10.10.10:****, status = Successful
 supportedLDAPVersion: value = 3
 supportedLDAPVersion: value = 2
 Binding as firstname.lastname@example.org
 Performing Simple authentication for email@example.com to 10.10.10.10
 LDAP Search:
Base DN = [dc=emp,dc=company,dc=com]
Filter = [sAMAccountNamefirstname.lastname@example.org]
Scope = [SUBTREE]
 Search result parsing returned failure status
 Fiber exit Tx=269 bytes Rx=680 bytes, status=-1
 Session End
SAML AUTH: SAML hash table cleanup periodic task
Any traction on this?
We'd like to implement SAML with DUO for Anyconnect clients but are running into the same issue with missing the authorization piece.
Did you run any debugs on the ASA? That will show you exactly what the authorization server is returning, and may point you in the right direction.
I found this command to be helpful:
debug webvpn saml
This is the correct debug command even if you are using AnyConnect.
I don't know if you were able to resolve your issue but I was seeing the same thing with the username being email@example.com instead of just username.
The way I fixed this issue was setting the Naming Attribute value in your LDAP server to userPrincipalName
Hope this helps.
Hi @lynne.meeks ,
May I ask if you did anything special to get the above to work? As I understand you are using SAML for authentication, and then have configured LDAP as authorization on the tunnel-group.
I am trying the same, and I see that all LDAP attributes are returned, however its like my LDAP attribute map is not kicking in - user is not assinged correct group policy.
LDAP attribute maps look like this:
ldap attribute-map TEST-group-assign
map-name memberof Group-Policy
map-value memberof CN=VPN_SSL_Base,OU=VPN,OU=Groups,DC=fqdn,DC=local GPO-AAD-TEST2
hence the above should make sure that if user is member of group "VPN_SSL_Base" he is mapped to group-policy "GPO-AAD-TEST2" - but I cannot get it to work.