11-21-2013 12:15 PM - edited 02-21-2020 07:20 PM
Hello All,
I am trying to configure anyconnect vpn, and to integrate it with the Microsoft AD LDAP.
Actually everything is working fine.
But I want to assign different ip addresses to the clients based on the group-policy and OU.But
unsuccessfully I couldnot configure it yet.
Every time when the client connects it obtains address from the same pool.
Means that the group-policy and tunnel-group for different client users is not working.
WOuld you share your experiences please, how to integrate that and to assign from different pools
for the clients
Here is the Config
===============
LDAP COnnection
ldap attribute-map test
map-name memmberOf IETF-Radius-Class
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_AUTHENT protocol ldap
aaa-server LDAP_AUTHENT (inside) host x.x.x.x
ldap-base-dn dc=megafontj,dc=tj
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=admin,cn=Users,dc=megafontj,dc=tj
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
------------------------------------------------------------------------------------------
group-policy DfltGrpPolicy attributes
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VIP-SPLIT
default-domain value cisco
split-dns value x.x.x.x
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (inside) SSL-POOL
address-pool SSL-POOL
authentication-server-group LDAP_AUTHENT
authentication-server-group (inside) LDAP_AUTHENT
authorization-server-group LDAP_AUTHENT
authorization-server-group (inside) LDAP_AUTHENT
authorization-required
-------------------------------------------------------------------------------------------------------
tunnel-group test-tunnel type remote-access
tunnel-group test-tunnel general-attributes
address-pool VIP-POOL
authentication-server-group LDAP_AUTHENT
authentication-server-group (inside) LDAP_AUTHENT
authorization-server-group LDAP_AUTHENT
authorization-server-group (inside) LDAP_AUTHENT
authorization-required
group-policy test attributes
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value cisco
split-dns value x.x.x.x
======================================================================
Why the clients with different user anem and password is not obtaining address from diffferent pools?
Everytime they obtain from the defualttunnel group...((
PLease help
Kindly TuraL
11-21-2013 12:52 PM
Hello Tural!
In my infrastructure I assign IP adresses personnaly to each user in their user's propertien on Dial-In tab. You should check static IP address and enter address you wanted to assign to user.
And also you should add following string to your ldap attribute map:
map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
After that Cisco gets IP address from user's properties itself and assigns it to connecting client
Good luck!
Max
11-21-2013 09:03 PM
Hello Max,
Thank you for your responce,
In my infrastructure my clients are conecting from the outside, and after successfull autherization they are assigned
ip address group policy based with LDAP OU.
But I dont know why it is not working, maybe my config is not correct, every time it is assigned only from
DefaultWEBVPNGroup which is SSL-POOL, but my user is in another OU.
One more issue is that when I delete tunnel group
DefaultWEBVPNGroup, user can not connect, it says vpn is not enabled...
Kindly Tural
11-21-2013 10:43 PM
Hello Tural,
Also in my configuration I used folowwing entry in my ldap attribute-map to determite in what group policy connecting user goes to
map-value memberOf "CN=Vpn Users,DC=your,DC=domain" GroupPolicy_ciscoAnyconnect
As I know - it is possible to assign different pools to different group policies, but as I understand (not sure) all users connecting via AnyConnect goes to DefaultWEBVPNGroup.
So try to use this entry in your configuration and let me know if this helps.
Good luck!
Max!
11-22-2013 03:00 AM
Hello Max,
I already achieved it, my users from different groups and from different LDAP OU obtains their ip from the the dedicated group-policy. On the login page you choose which group you want to connect, username and password.
I did it with enabling group alias under the tunnel-groups webpvn attrributes.
Now I am thinging how to restrict users to to connect to different groups..
Kindly TuralL
11-22-2013 05:40 AM
Hello Tural,
That's why I disabled chosing the group and let the ASA deside wich policy user is connecting to.
Good luck!
Max.
11-22-2013 09:38 AM
Hello Max,
I would like to thank you for always responsing me, but I have been asked to disable choosing the group too.!
But As I mentioned above, I dont know how to force ASA to assign from different pools to different groups.
Can you please send me the configuration of your ASA ?
Thank you for helping
Kindly TualL
11-22-2013 09:43 AM
Hey Tural,
I am also trying to Integrate ASA to LDAP. Though I am able to fetch all the Distribution List present in AD. I am not able to form correct attribute map to resolve the problem. Please guide me in solving the problem. I have gone through most of the online help material.
11-22-2013 12:34 PM
Hello Chetan Rana,
if you do not have taks to about assigning from different pools to different groups, then it is easy
but if you also have the same issue with me, then follow up.
Kindly Tural
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide