Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
7
Replies

ASA anyconnect authenticates all the active directory usernames not just the specified group

Go to solution
Hamed Karimi
Level 1
Level 1

‎03-21-2020 03:20 PM

I integrated the ASA with Active directory. I tried to connect with Cisco Anyconnect but ASA accepts all the usernames that are in AD not the specified group. I set the simultaneous user in the default tunnel group to 0 but still no success:

 

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
address-pools value vpnpool

 

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Hamed Karimi

‎03-21-2020 04:20 PM

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎03-21-2020 03:31 PM - edited ‎03-21-2020 03:46 PM

Hi,

What is the configuration of your server called "AD"? Is it LDAP?

 

If you are using LDAP then you will need to use a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. See this guide on how to configure NOACCESS group-policy and LDAP attribute map to permit the users you do want ot access the VPN.

 

If not using LDAP please provide the configuration and more information.

HTH

0 Helpful

Go to solution
Hamed Karimi
Level 1
Level 1
In response to Rob Ingram

‎03-21-2020 03:42 PM

Yes it is ldpa. I could not open your link. I tried to change the default GP to deny access. It is not working on that way?
Can you pls help me with no_access GP, It is really urgent.
aaa-server AD (Inside) host corp.spdatallc.com
ldap-base-dn DC=corp,DC=spdatallc,DC=com
ldap-group-base-dn CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountname
ldap-login-password *****
ldap-login-dn hamvpnldap@corp.spdatallc.com
server-type microsoft
ldap-attribute-map HAM-VPN-USERS
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Hamed Karimi

‎03-21-2020 03:48 PM

This is the link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

 

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol IPSec webvpn

 

0 Helpful

Go to solution
Hamed Karimi
Level 1
Level 1
In response to Rob Ingram

‎03-21-2020 04:08 PM

I have it but still no luck. If I assign it to connection profile then it rejects all users.

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server none
dns-server value 172.20.2.12
vpn-simultaneous-logins 500
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers
default-domain value spdatallc.com
address-pools value vpnpool

 

 

tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group AD
default-group-policy VPNUsers
tunnel-group vpngroup webvpn-attributes
group-alias AD enable
group-alias Group1 disable
group-alias users disable
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RSA type remote-access
tunnel-group RSA general-attributes
address-pool vpnpool
authentication-server-group RSA-2FA
default-group-policy VPNUsers
tunnel-group RSA webvpn-attributes
group-alias RSA enable

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Hamed Karimi

‎03-21-2020 04:20 PM

Does your LDAP attribute map(s) permit the users who are allowed to connect to the VPN map to the "VPNUsers" group-policy? See use case example LDAP-MAP #2 in that link I previously provided.
0 Helpful

Go to solution
Hamed Karimi
Level 1
Level 1
In response to Rob Ingram

‎03-21-2020 04:41 PM

That was the problem. Ldap att did not match with GP name.

 

Thanks

 

0 Helpful

Go to solution
Hamed Karimi
Level 1
Level 1
In response to Rob Ingram

‎03-21-2020 04:32 PM

Yes it does. Here is the ldap attr:
ldap attribute-map HAM-VPN-USERS
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=HAM-VPN-USERS,OU=AGENT USERS,DC=corp,DC=spdatallc,DC=com" ciscovpn

Could you pls check your inbox. I sent you a message.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents