06-13-2022 11:48 PM
Hi Experts,
I am trying to configure attribute-map for our SSL Anyconnect Client connections. Basically I am trying to associate Groups to specific tunnel-group/connection profiles. I've reviewed the documentation and set it up with Noaccess group-policy.
I can't login when the group policy is "default-group-policy Noaccess" however, all users irrelevant of the group can login when it is "default-group-policy HR-grp-policy"
=========================
VPN# sh run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.100.10
ldap-base-dn DC=xxxxx,DC=local
ldap-group-base-dn OU=xxxxx,DC=xxxxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_ad,OU=xxxxx,DC=xxxxx,DC=local
server-type microsoft
ldap-attribute-map LDAP-MAP
VPN# sh run ldap
ldap attribute-map LDAP-MAP
map-name memberof Group-Policy
map-value memberof CN=HR,OU=xxxxx,DC=xxxxx,DC=local HR-grp-policy
VPN# sh run group-policy HR-grp-policy
group-policy HR-grp-policy internal
group-policy HR-grp-policy attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value xxxxx.local
address-pools value HR-pool
VPN# sh run tunnel-group HR-con-profile
tunnel-group HR-con-profile type remote-access
tunnel-group HR-con-profile general-attributes
address-pool HR-pool
authentication-server-group LDAP LOCAL
default-group-policy Noaccess
tunnel-group HR-con-profile webvpn-attributes
group-alias HR-con-profile-alias enable
VPN#sh run group-policy Noaccess
group-policy Noaccess internal
group-policy Noaccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
=========================
06-14-2022 12:01 AM
@Arun2022 Can you provide the output of "show vpn-sessiondb detail anyconnect" of a user that connects that is not a member of the HR group and the output of a user that is please.
Run debug ldap 128 and authenticate a user, provide the output for review.
06-14-2022 12:21 AM
Hi Rob,
Thank you for your response.
Please find attached, the Noaccess group policy has been removed from the HR tunnel group since, I cannot connect if that is in place. I do have other tunnel groups however at this stage any user can login to any of the connection profiles.
06-14-2022 12:30 AM - edited 06-14-2022 12:42 AM
@Arun2022 is the DN of the group correct? including the case (upper/lower case)
Can you provide a debug when it fails please (change the group policy accordingly).
06-14-2022 06:28 AM
06-14-2022 06:37 AM
@Arun2022 I cannot see what group that user should be mapped to in those debugs, please increase your debug level - debug ldap 255
Ensure the configuration is as you intend, login as both users, a member of HR and another who is not - provide the output.
06-14-2022 04:19 PM
@Rob Ingram I've got 4 groups under the OU.
I've attached the debugs, hr_user is a member of HR, crew_user is a member of Crew.
VPN# show ad-groups LDAP
.
[10] Session Start
[10] New request Session, context 0x00007fd725a33da8, reqType = Group List Search
[10] Fiber started
[10] Creating LDAP context with uri=ldap://172.16.100.10:389
[10] Connect to LDAP server: ldap://172.16.100.10:389, status = Successful
[10] supportedLDAPVersion: value = 3
[10] supportedLDAPVersion: value = 2
[10] Binding as ldap_ad
[10] Performing Simple authentication for ldap_ad to 172.16.100.10
[10] LDAP Search:
Base DN = [OU=xxxx,DC=valab,DC=local]
Filter = [(&(objectclass=group)(cn=*))]
Scope = [SUBTREE]
[10] Processing received group names
[10] Search found 4 unique group names
[10] Fiber exit Tx=304 bytes Rx=1049 bytes, status=1
[10] Session End
Server Group LDAP
Group list retrieved successfully
Number of Active Directory Groups 4
Contractor
Crew
Customer
HR
06-14-2022 09:29 AM
add this command
authorization-server-group LDAP-Server
06-14-2022 04:07 PM
@MHM Cisco World I tried this it didn't make a difference.
06-14-2022 05:06 PM
change must done
*map-name memberOf Group-Policy
**authorization-required
***authorization-server-group LDAP-Server
please share the ldap 255 after these change
06-15-2022 08:04 PM
@MHM Cisco World I rectified the case sensitivity on the map-name and made the relevant changes. However, in the debugs I still can't see the "mapped to" field. Please find the attached file.
06-15-2022 11:07 PM
I reconfigured the vpn once again. I've managed to restrict logins only to users associated with the groups specified in the ldap attributes.
I revisited the documents and observed that there are spaces in the ldap-base-dn & ldap-login-dn that I missed.
Now issue is that I am unable to bind it to a specific profile. "hr_user" can connect to both HR-profile & Crew-profile.
I really appreciate your support on this one.
==============================
VPN# sh run group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy crew internal
group-policy crew attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value valab.local
address-pools value crew-pool
group-policy hr internal
group-policy hr attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value valab.local
address-pools value hr-pool
VPN# sh run tunnel
tunnel-group HR-profile type remote-access
tunnel-group HR-profile general-attributes
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group HR-profile webvpn-attributes
group-alias HR-profile enable
tunnel-group Crew-profile type remote-access
tunnel-group Crew-profile general-attributes
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group Crew-profile webvpn-attributes
group-alias Crew-profile enable
VPN# sh run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.100.10
ldap-base-dn DC=valab, DC=local
ldap-group-base-dn OU=xxxx, DC=valab, DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_ad, OU=xxxx, DC=valab, DC=local
server-type microsoft
ldap-attribute-map LDAP_ANYCONNECT_MAP
VPN# sh run ldap
ldap attribute-map LDAP_ANYCONNECT_MAP
map-name memberOf Group-Policy
map-value memberOf CN=Crew,OU=xxxx,DC=valab,DC=local crew
map-value memberOf CN=HR,OU=xxxx,DC=valab,DC=local hr
VPN# show vpn-sessiondb det anyconnect
Session Type: AnyConnect Detailed
Username : hr_user Index : 51705
Assigned IP : 192.168.14.10 Public IP : 192.168.50.100
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 14502 Bytes Rx : 3965
Pkts Tx : 11 Pkts Rx : 12
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : hr Tunnel Group : Crew-profile
Login Time : 05:55:45 UTC Thu Jun 16 2022
Duration : 0h:00m:24s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8e6810c9f900062aac5e1
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
[41] Session Start
[41] New request Session, context 0x00007f68ae01a7c8, reqType = Other
[41] Fiber started
[41] Creating LDAP context with uri=ldap://172.16.100.10:389
[41] Connect to LDAP server: ldap://172.16.100.10:389, status = Successful
[41] supportedLDAPVersion: value = 3
[41] supportedLDAPVersion: value = 2
[41] Binding as ldap_ad
[41] Performing Simple authentication for ldap_ad to 172.16.100.10
[41] LDAP Search:
Base DN = [DC=valab, DC=local]
Filter = [sAMAccountName=hr_user]
Scope = [SUBTREE]
[41] User DN = [CN=hr_user,OU=xxxx,DC=valab,DC=local]
[41] Talking to Active Directory server 172.16.100.10
[41] Reading password policy for hr_user, dn:CN=hr_user,OU=xxxx,DC=valab,DC=local
[41] Read bad password count 0
[41] LDAP Search:
Base DN = [DC=valab, DC=local]
Filter = [sAMAccountName=hr_user]
Scope = [SUBTREE]
[41] Retrieved User Attributes:
[41] objectClass: value = top
[41] objectClass: value = person
[41] objectClass: value = organizationalPerson
[41] objectClass: value = user
[41] cn: value = hr_user
[41] givenName: value = hr_user
[41] distinguishedName: value = CN=hr_user,OU=xxxx,DC=valab,DC=local
[41] instanceType: value = 4
[41] whenCreated: value = 20220610080855.0Z
[41] whenChanged: value = 20220610080855.0Z
[41] displayName: value = hr_user
[41] uSNCreated: value = 16468
[41] memberOf: value = CN=HR,OU=xxxx,DC=valab,DC=local
[41] mapped to Group-Policy: value = hr
[41] mapped to LDAP-Class: value = hr
[41] uSNChanged: value = 16473
[41] name: value = hr_user
[41] objectGUID: value = ..iW..NA.].#..h.
[41] userAccountControl: value = 66048
[41] badPwdCount: value = 0
[41] codePage: value = 0
[41] countryCode: value = 0
[41] badPasswordTime: value = 0
[41] lastLogoff: value = 0
[41] lastLogon: value = 0
[41] pwdLastSet: value = 132993221353167423
[41] primaryGroupID: value = 513
[41] objectSid: value = ..............U...$.....T...
[41] accountExpires: value = 9223372036854775807
[41] logonCount: value = 0
[41] sAMAccountName: value = hr_user
[41] sAMAccountType: value = 805306368
[41] userPrincipalName: value = hr_user@valab.local
[41] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=valab,DC=local
[41] dSCorePropagationData: value = 16010101000000.0Z
[41] Fiber exit Tx=555 bytes Rx=4120 bytes, status=1
[41] Session End
==============================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide