cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
0
Helpful
7
Replies
Highlighted
Beginner

ASA anyconnect authenticates all the active directory usernames not just the specified group

I integrated the ASA with Active directory. I tried to connect with Cisco Anyconnect but ASA accepts all the usernames that are in AD not the specified group. I set the simultaneous user in the default tunnel group to 0 but still no success:

 

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
address-pools value vpnpool

 

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable
!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RJI Advisor
Advisor

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.

View solution in original post

7 REPLIES 7
RJI Advisor
Advisor

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Hi,

What is the configuration of your server called "AD"? Is it LDAP?

 

If you are using LDAP then you will need to use a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. See this guide on how to configure NOACCESS group-policy and LDAP attribute map to permit the users you do want ot access the VPN.

 

If not using LDAP please provide the configuration and more information.

HTH

Highlighted
Beginner

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Yes it is ldpa. I could not open your link. I tried to change the default GP to deny access. It is not working on that way?
Can you pls help me with no_access GP, It is really urgent.
aaa-server AD (Inside) host corp.spdatallc.com
ldap-base-dn DC=corp,DC=spdatallc,DC=com
ldap-group-base-dn CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountname
ldap-login-password *****
ldap-login-dn hamvpnldap@corp.spdatallc.com
server-type microsoft
ldap-attribute-map HAM-VPN-USERS
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn
Highlighted
RJI Advisor
Advisor

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

This is the link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

 

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn

 

Highlighted
Beginner

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

I have it but still no luck. If I assign it to connection profile then it rejects all users.

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
dns-server value 172.20.2.12
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
default-domain value spdatallc.com
address-pools value vpnpool

 

 

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable

 

Highlighted
RJI Advisor
Advisor

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.

View solution in original post

Highlighted
Beginner

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

That was the problem. Ldap att did not match with GP name.

 

Thanks

 

Highlighted
Beginner

Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Yes it does. Here is the ldap attr:
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn

Could you pls check your inbox. I sent you a message.