Solved: Re: ASA anyconnect authenticates all the active directory usernames not just the specified group

Hamed Karimi · ‎03-21-2020

I integrated the ASA with Active directory. I tried to connect with Cisco Anyconnect but ASA accepts all the usernames that are in AD not the specified group. I set the simultaneous user in the default tunnel group to 0 but still no success:

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
address-pools value vpnpool

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable
!

Rob Ingram · ‎03-21-2020

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.

View solution in original post

Rob Ingram · ‎03-21-2020

Hi,

What is the configuration of your server called "AD"? Is it LDAP?

If you are using LDAP then you will need to use a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. See this guide on how to configure NOACCESS group-policy and LDAP attribute map to permit the users you do want ot access the VPN.

If not using LDAP please provide the configuration and more information.

HTH

Hamed Karimi · ‎03-21-2020

Yes it is ldpa. I could not open your link. I tried to change the default GP to deny access. It is not working on that way?
Can you pls help me with no_access GP, It is really urgent.
aaa-server AD (Inside) host corp.spdatallc.com
ldap-base-dn DC=corp,DC=spdatallc,DC=com
ldap-group-base-dn CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountname
ldap-login-password *****
ldap-login-dn hamvpnldap@corp.spdatallc.com
server-type microsoft
ldap-attribute-map HAM-VPN-USERS
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn

Rob Ingram · ‎03-21-2020

This is the link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol IPSec webvpn

Hamed Karimi · ‎03-21-2020

I have it but still no luck. If I assign it to connection profile then it rejects all users.

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
dns-server value 172.20.2.12
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
default-domain value spdatallc.com
address-pools value vpnpool

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable

Rob Ingram · ‎03-21-2020

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.

Hamed Karimi · ‎03-21-2020

That was the problem. Ldap att did not match with GP name.

Thanks

Hamed Karimi · ‎03-21-2020

Yes it does. Here is the ldap attr:
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn

Could you pls check your inbox. I sent you a message.