cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
34155
Views
20
Helpful
29
Replies

AnyConnect, SAML and attribute mapping; is this possible?

lynne.meeks
Level 1
Level 1

We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA.   We also use DUO for MFA in AnyConnect connections.  This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.

 

We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.

 

However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA.    The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."

 

Has anyone else run into this situation? Any suggestions?

 

thanks.

29 Replies 29

lynne.meeks
Level 1
Level 1

Solved.

We switched the LDAP AAA attribute mapping to use LDAP authorization instead of authentication. 

Works perfectly now, and no more confusing AnyConnect MFA interface.

 

Lynne

Any chance I could get some more information on how you are doing this?

Sure!

 

We basically followed this document:

 

The key for us was to set the AAA server for the SAML profile to use authorization i/of authentication:

    tunnel-group SAML general-attributes
authorization-server-group LDAP_SECURE

 

 

aaa-server LDAP_SECURE (inside) host x.x.x.x
...
ldap-attribute-map Test-Group-Assignment

ldap attribute-map Test-Group-Assignment
map-name VPNGroup Group-Policy
map-value  TEST Test-Group-Assignment

Sorry, accidentally posted before adding the link to the document:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

 

Note that even though the documentation says 'clientless' it does indeed work with AnyConnect clients.

 

The other key thing I would point out is that if you change any part of the SAML Identity provider configuration you need to remove the SAML config from the Profile configuration and re-apply it.  This is a bug.

 

You also need to be at ASA version 9.7.1.24 (or later)

 

Let me know know if you have any other questions.

 

Lynne

 

Thanks!  Which document were you referring to?

Hi Lynne, 

I'm trying to set this up in my environment, but I am more familiar with ASDM than the CLI. I'm wondering if you might be able to provide some additional instructions to set this up in the ASDM? 

 

I have the SAML authentication working (with Duo MFA), however when I try to add any of the LDAP attribute maps to map an AD group to an ASA group policy it doesn't appear to do anything since I always get the group policy assigned to the Anyconnect profile I'm using. 

 

Thanks for any help you can provide! 

Jordan,

 

Were the LDAP attribute maps working previously? Eg. before you set up the SAML authentication?  Or is this a new configuration?

 

And you have configured the LDAP attribute map in the profile as AAA authorization, yes?

 

It would be very helpful for you to login to the ASA command line and do AAA debugging; that will show you what values are being returned from the AD server; your issue could be there as well.

 

Debug aaa authorization

 

Lynne

 

The LDAP attribute maps were working previously (and still are working) on another profile LDAP for authentication along with DAP to restrict users' access to specific profiles.



I tried running the aaa authorization debug but it did not return any information which makes me wonder if I have it configured correctly to do any authorization. In the ASDM I can't find the option to apply the LDAP attribute map to a specific profile but it is showing up in the authorization section for the SAML profile. My new SAML profile is using a previously existing group policy.



Any other thoughts? I'll do some more research into how the LDAP maps work as well.


Hi Lynne,

After looking at other configuration tutorials I found that I might need to set up a "no access" group policy and configure it as the default policy for my tunnel group profile. However, I tried this and it still didn't work. I'm curious if you needed to configure a "no access" default policy for the SAML profile?

 

The following is my sanitized configuration and some debugs if it helps. I’m wondering if the issue might be that ADFS is sending my username back as username@company.com instead of just username?

 

Thanks!

Jordan

 

Campus-ASA# sh run aaa-server UNW-AD

aaa-server UNW-AD protocol ldap

reactivation-mode timed

max-failed-attempts 5

aaa-server UNW-AD (Inside) host 10.10.10.10

timeout 30

server-port ****

ldap-base-dn dc=emp,dc=company,dc=com

ldap-group-base-dn dc=emp,dc=company,dc=com/groups

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn ldapuser@company.com

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map UNWMFA-VPNAcess

Campus-ASA#

!

Campus-ASA# sh run ldap attribute-map UNWMFA-VPNAcess

map-name  memberOf Group-Policy

map-value memberOf cn=VPNAccess,ou=groups,dc=emp,dc=company,dc=com NWCVPN

Campus-ASA#

!

Campus-ASA# sh run group-policy NWCVPN

group-policy NWCVPN internal

group-policy NWCVPN attributes

dns-server value 10.10.10.11 10.10.10.12

vpn-simultaneous-logins 3

vpn-filter value VPN-in

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-in

default-domain value emp.company.com

vlan none

address-pools value VPN-DHCP

Campus-ASA#

!

Campus-ASA# sh run tunnel-group UNWMFA

tunnel-group UNWMFA type remote-access

tunnel-group UNWMFA general-attributes

address-pool VPN-DHCP

authorization-server-group UNW-AD

default-group-policy NoAccess

tunnel-group UNWMFA webvpn-attributes

authentication saml

group-alias UNWMFA enable

group-url https://vpn.company.com/saml enable

without-csd

saml identity-provider http://adfs.company.com/adfs/services/trust

Campus-ASA#

!

Campus-ASA# show run group-policy NoAccess

group-policy NoAccess internal

group-policy NoAccess attributes

dns-server value 10.10.10.11

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-client

Campus-ASA#

!

 

Campus-ASA# debug dap trace 255

Campus-ASA# debug webvpn saml 255

Campus-ASA# debug aaa authorization

Campus-ASA#

Campus-ASA# Nov 12 10:52:40

[SAML] build_authnrequest:

https:// adfs.company.com /adfs/ls/?SAMLRequest=fVFda4M********************3D%3D

[SAML] saml_is_idp_internal: getting SAML config for tg UNWMFA

SAML AUTH: SAML hash table cleanup periodic task

Nov 12 10:53:09

[SAML] consume_assertion:

PHNh***********

 12 10:53:09 [SAML] NotBefore:2019-11-12T16:53:09.277Z NotOnOrAfter:2019-11-12T17:53:09.277Z timeout: 300

Nov 12 10:53:09 [SAML] consume_assertion: <Session xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2"><Assertion RemoteProviderID="http://***********/adfs/services/trust"><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_************-9f17-082d486c6e08" IssueInstant="2019-11-12T16:53:09.277Z" Version="2.0"><Issuer>http:// adfs.company.com /adfs/services/trust</Issuer><ds:Signature xmlns:ds="***************:SAML:1.1:nameid-format:unspecified">username@company.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6B27A7A**********B4E" NotOnOrAfter="2019-11-12T16:58:09.277Z" Recipient="https://vpn.company.com/+CSCOE+/saml/sp/acs?tgname=UNWMFA"/></SubjectConfirmation></Subject><Conditions NotBefore="2019-11-12T16:53:09.277Z" NotOnOrAfter="2019-11-12T17:53:09.277Z"><AudienceRestriction><Audience>https://vpn.company.com/saml/sp/metadata/UNWMFA</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>username@company.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>username@company.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2019-11-12T16:53:00.877Z" SessionIndex="_**************-9f17-082d486c6e08"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Assertion><NidAndSessionIndex ProviderID="http://adfs.company.com/adfs/services/trust" AssertionID="_******************" SessionIndex="_*****************">

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unNov 12 10:53:09

[SAML] consume_assertion:

http://adfs.company.com/adfs/services/trust username@company.com

[saml] webvpn_login_primary_username: SAML assertion validation succeeded

Start timer for verifying token 7********************

Username "username@company.com" added to list with token 7**************

saml_auth_is_valid_token: SAML ac token being looked 7*************

saml_ac_v2_process_auth_request: SAML ac token being looked 7************

SAML AUTH: authentication success

 

[6974] Session Start

[6974] New request Session, context 0x00007****0, reqType = Other

[6974] Fiber started

[6974] Creating LDAP context with uri=ldaps://10.10.10.10:****

[6974] Connect to LDAP server: ldaps://10.10.10.10:****, status = Successful

[6974] supportedLDAPVersion: value = 3

[6974] supportedLDAPVersion: value = 2

[6974] Binding as ldapuser@emp.company.com

[6974] Performing Simple authentication for ldapuser@company.com to 10.10.10.10

[6974] LDAP Search:

        Base DN = [dc=emp,dc=company,dc=com]

        Filter  = [sAMAccountName=username@company.com]

        Scope   = [SUBTREE]

[6974] Search result parsing returned failure status

[6974] Fiber exit Tx=269 bytes Rx=680 bytes, status=-1

[6974] Session End

SAML AUTH: SAML hash table cleanup periodic task

 

Campus-ASA#

 

 

Any traction on this?

We'd like to implement SAML with DUO for Anyconnect clients but are running into the same issue with missing the authorization piece. 

Did you run any debugs on the ASA? That will show you exactly what the authorization server is returning, and may point you in the right direction.

 

I found this command to be helpful:

 

      debug webvpn saml

 

This is the correct debug command even if you are using AnyConnect.

 

Lynne

 

Lynne

 

 

 

 

Jordan,

 

I don't know if you were able to resolve your issue but I was seeing the same thing with the username being username@company.com instead of just username.

 

The way I fixed this issue was setting the Naming Attribute value in your LDAP server to userPrincipalName

 

Hope this helps.

Hi @lynne.meeks ,

 

May I ask if you did anything special to get the above to work? As I understand you are using SAML for authentication, and then have configured LDAP as authorization on the tunnel-group.

 

I am trying the same, and I see that all LDAP attributes are returned, however its like my LDAP attribute map is not kicking in - user is not assinged correct group policy.

 

LDAP attribute maps look like this:

 

ldap attribute-map TEST-group-assign
map-name memberof Group-Policy
map-value memberof CN=VPN_SSL_Base,OU=VPN,OU=Groups,DC=fqdn,DC=local GPO-AAD-TEST2

 

hence the above should make sure that if user is member of group "VPN_SSL_Base" he is mapped to group-policy "GPO-AAD-TEST2" - but I cannot get it to work.

 

 

/Rasmus