Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13406
Views
14
Helpful
5
Replies

AnyConnect VPN ASA LDAP configuration

robert.d.gandy
Level 1
Level 1

‎03-26-2011 10:00 PM

Hi Guys,

Need some help with getting ASA to authenticate against AD groups properly. I have got the thing setup and working talking to AD Via LDAP.

I have been playing around with attribute-maps and this is where I am having an issue. The thing I can't seem to get working is only allowing members of the specifc group to authenticate. Anyone in AD is able to authenticate. I have read through most of the support forum questions on this topic and they have helped in my efforts. Hopefully someone out there will be able to take a look at my specifc issue and give me some advice.

Heres the config and a copy of debug LDAP 255

ldap attribute-map TestPolicy

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN,OU=CorpXXX,DC=XXXXX,DC=com AnyConnect_Test_GP

dynamic-access-policy-record DfltAccessPolicy

aaa-server AnyConnect_AAA protocol kerberos

aaa-server AnyConnect_LDAP protocol ldap

aaa-server AnyConnect_LDAP (inside) host 172.X.X.X

ldap-base-dn dc=XXXXX, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn ciscovpn@XXXX.com

server-type microsoft

ldap-attribute-map TestPolicy

webvpn

enable Outside

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-lock value DefaultWEBVPNGroup

group-policy AnyConnect_Test_GP internal

group-policy AnyConnect_Test_GP attributes

dns-server value 172.X.X.X

vpn-simultaneous-logins 3

vpn-tunnel-protocol svc webvpn

group-lock value AnyConnect_Test_CP

address-pools value AnyConnect_Test

webvpn

  svc keep-installer installed

tunnel-group AnyConnect_Test_CP type remote-access

tunnel-group AnyConnect_Test_CP general-attributes

address-pool AnyConnect_Test

authentication-server-group AnyConnect_LDAP

default-group-policy AnyConnect_Test_GP

tunnel-group AnyConnect_Test_CP webvpn-attributes

group-alias ANYCONNECTTEST enable

Debug summary:u
[23732] Session Start
[23732] New request Session, context 0xb00ff9b0, reqType = 1
[23732] Fiber started
[23732] Creating LDAP context with uri=ldap://172.x.x.x:389
[23732] Connect to LDAP server: ldap://172.x.x.x:389, status = Successful
[23732] supportedLDAPVersion: value = 3
[23732] supportedLDAPVersion: value = 2
[23732] Binding as administrator
[23732] Performing Simple authentication for ciscovpn@xxxxxx.com to 172.x.x.x
[23732] LDAP Search:
Base DN = [dc=cxxxxx, dc=com]
Filter  = [sAMAccountName=userid]
Scope   = [SUBTREE]
[23732] User DN = [CN=....................,DC=xxxxxx,DC=com]
[23732] Talking to Active Directory server 172.x.x.x.
[23732] Reading password policy for userid, dn:CN=.................,DC=xxxxx,DC=com
[23732] Read bad password count 0
[23732] Binding as user
[23732] Performing Simple authentication for userid to 172.x.x.x
[23732] Processing LDAP response for user userid
[23732] Authentication successful for userid to 172.x.x.x
[23732] Retrieved User Attributes:
[23732] objectClass: value = top
[23732] objectClass: value = person
[23732] objectClass: value = organizationalPerson
[23732] objectClass: value = user
x
x
x
[23732] memberOf: value = CN=VPN,OU=Corpxxx,DC=xxxxxx,DC=com
[23732] mapped to IETF-Radius-Class: value = AnyConnect_Test_GP
x
x
[23732] Session End
Thanks in advance for any suggestion/guidance

Labels:
0 Helpful
5 Replies 5

andamani
Cisco Employee
Cisco Employee

‎03-26-2011 10:30 PM

Hi,

The Ldap attribute map created will just bind the group-policy to the user.

If you want to restrict access you need to configure to DAP.

The following link gives the details of DAP.

http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

ashirazi
Level 1
Level 1

‎06-21-2011 02:02 PM

Hi,

I was able to use DAP to implement AD group based policy. I've documented my work in my blog:

http://ccie2012.blogspot.com/2011/06/use-ldap-authentication-to-assign-group.html

Regards,

@mir

Herbert Baerten
Cisco Employee
Cisco Employee
In response to ashirazi

‎06-22-2011 12:10 PM

@mir,

Glad to hear you were able to get the DAP working! Just one comment: in this case you don't actually need the LDAP attribute map (unless I'm missing something?).

I guess you're actually mixing up 2 possible solutions. Instead of using DAP, you could use an LDAP attribute map to map group X to a working group-policy, and then in the tunnel group set a group-policy that denies access as the default (e.g. a group-policy that sets vpn-simultaneous-logins to 0).

This is more explained in more detail in

(which also shows that you can use any other LDAP attribute, not just memberOf)

good luck with the CCIE!

Herbert

PS (cfr your blog post): you can also configure the LDAP attribute map in  ASDM : Configuration - Remote Access VPN - AAA/Local users - LDAP  attribute map.

Jim C Julson Jr
Level 1
Level 1
In response to Herbert Baerten

‎08-30-2012 09:33 AM

As Herbert stated, you actually have performed the same function twice. 

So to clarify for readers even further:

******* Option 1 *******

Create an LDAP Attribute map that maps to an existing and working Group Policy, and that is referenced by a AAA Server Group that uses LDAP (Additional configuration needed there)

NOTE:  With ASA Version 8.3x and above (And it's appropriate version of the associated ASDM), the IETF-RADIUS-CLASS is no longer available within the ASDM.  This may be why the OP said to use the CLI.  You will notice Cisco has changed the Cisco Attribute Name to now read "Group-Policy".  In the drop down in ASDM, the new Cisco Attribute name will read:

Group-Policy (replaces IETF-Radius-Class)

******* Option 2 *******

Use a DAP (Dynamic Access Policy) to regulate access to specific LDAP Groups.  The DAP is tied to a specific Connection Profile.  You do not need to create an LDAP Attribute map if you are doing it this way.

Both ways are okay, and really a matter of preference.  At the end of the day, do whatever you are more comfortable with. 

Please note, Herbert stated most of this above, I'm simply expounding on what he said to offer some clarification as the a few things have changed with newer releases of the ASA IOS.

Jeffrey Jones
Level 5
Level 5
In response to Jim C Julson Jr

‎06-18-2013 10:29 AM

What needs to be done to allow UPN and SAMaccountname login to vpn? we are using DAP as well

  We want the ability to use both depending on the device they are logging in to the VPN from

JJ

0 Helpful
Customers Also Viewed These Support Documents