Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4263
Views
15
Helpful
5
Replies

Anyconnect VPN: how to block LDAP user in ASA

Go to solution
hashimwajid1
Level 3
Level 3

‎04-04-2018 09:48 AM - edited ‎03-12-2019 05:10 AM

Hi

 

we integrated LDAP with ASA to authenticate Anyconnect users, we do not want all users in AD group to be authenticate. 

is there any way to restrict  or block  user in AD Group or ASA ?

 

ASA version 9.6

 

Thanks 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-04-2018 10:05 AM

Great a group in AD called blocked users, assign it to users which
shouldn't access the network over anyconnect, create dap rule with deny any
any acl to block users which are member of this group. Another way is to
use ldap attribute-map to match users within this group and assign a group
policy which blocks them

View solution in original post

5 Replies 5

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-04-2018 10:05 AM

Great a group in AD called blocked users, assign it to users which
shouldn't access the network over anyconnect, create dap rule with deny any
any acl to block users which are member of this group. Another way is to
use ldap attribute-map to match users within this group and assign a group
policy which blocks them

Go to solution
hashimwajid1
Level 3
Level 3
In response to Mohammed al Baqari

‎04-04-2018 10:15 AM

Hi Mohammad,

 

in AD there is already a User Group ( OU ) all users are in this OU. we want some users of this OU to not to use Anyconnect. 

we dont want to create separate Group. is there any  way to block user within same OU

 

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to hashimwajid1

‎04-04-2018 09:59 PM

AD groups are different from OUs. They can be in same OU but members of
different groups.

If you assign groups to users and follow my scenario it should work.

Go to solution
hashimwajid1
Level 3
Level 3
In response to Mohammed al Baqari

‎04-05-2018 01:41 AM - edited ‎04-05-2018 01:43 AM

Hi Mohammed,

 

i am able to block Users by using DAC.

thanks for your suggestion 

 

one query 

 

i have two VPN Group Profile in ASA with different privileges.  whenever user try to connect with Anyconnect Client, user has to select between these two login profile.

 

is there any way that user should not select these login profile and just enter his credential ? and after that it will automatically map to desire VPN Group in ASA ?

 

 

Thanks

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to hashimwajid1

‎04-05-2018 02:24 AM

create one default group-policy assigned to your tunnel-group. Then create
ldap-attribute map since you are authenticating with AD. Now, map memberof
attribute to group-policy in ldap-attribute map. For example DomainAdmins
maps to GroupPolicy01 and DomainUsers maps to GroupPolicy02. Both group
policies should be pre-created in ASA. You tunnel group should point to AD
for authentication which I believe already the case.

Once AD authentication is successful, new group-policy will be selected
based on memberOf and will override default-group policy. This way users
aren't required to select tunnel-group from drop down. Instead they will be
assigned attributes automatically based on their groups.
Customers Also Viewed These Support Documents