Re: ASA Anyconnect ldap mapping profile based on user group

Arun2022 · ‎06-13-2022

Hi Experts,

I am trying to configure attribute-map for our SSL Anyconnect Client connections. Basically I am trying to associate Groups to specific tunnel-group/connection profiles. I've reviewed the documentation and set it up with Noaccess group-policy.

I can't login when the group policy is "default-group-policy Noaccess" however, all users irrelevant of the group can login when it is "default-group-policy HR-grp-policy"

=========================
VPN# sh run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.100.10
ldap-base-dn DC=xxxxx,DC=local
ldap-group-base-dn OU=xxxxx,DC=xxxxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_ad,OU=xxxxx,DC=xxxxx,DC=local
server-type microsoft
ldap-attribute-map LDAP-MAP

VPN# sh run ldap
ldap attribute-map LDAP-MAP
map-name memberof Group-Policy
map-value memberof CN=HR,OU=xxxxx,DC=xxxxx,DC=local HR-grp-policy

VPN# sh run group-policy HR-grp-policy
group-policy HR-grp-policy internal
group-policy HR-grp-policy attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value xxxxx.local
address-pools value HR-pool

VPN# sh run tunnel-group HR-con-profile
tunnel-group HR-con-profile type remote-access
tunnel-group HR-con-profile general-attributes
address-pool HR-pool
authentication-server-group LDAP LOCAL
default-group-policy Noaccess
tunnel-group HR-con-profile webvpn-attributes
group-alias HR-con-profile-alias enable

VPN#sh run group-policy Noaccess
group-policy Noaccess internal
group-policy Noaccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
=========================

Rob Ingram · ‎06-14-2022

@Arun2022 Can you provide the output of "show vpn-sessiondb detail anyconnect" of a user that connects that is not a member of the HR group and the output of a user that is please.

Run debug ldap 128 and authenticate a user, provide the output for review.

Arun2022 · ‎06-14-2022

Hi Rob,

Thank you for your response.

Please find attached, the Noaccess group policy has been removed from the HR tunnel group since, I cannot connect if that is in place. I do have other tunnel groups however at this stage any user can login to any of the connection profiles.

Rob Ingram · ‎06-14-2022

@Arun2022 is the DN of the group correct? including the case (upper/lower case)

Can you provide a debug when it fails please (change the group policy accordingly).

Arun2022 · ‎06-14-2022

Yes, the DN is correct.

Please see the attached. The ldap debugs are identical to the working one.

Rob Ingram · ‎06-14-2022

@Arun2022 I cannot see what group that user should be mapped to in those debugs, please increase your debug level - debug ldap 255

Ensure the configuration is as you intend, login as both users, a member of HR and another who is not - provide the output.

Arun2022 · ‎06-14-2022

@Rob Ingram I've got 4 groups under the OU.

I've attached the debugs, hr_user is a member of HR, crew_user is a member of Crew.

VPN# show ad-groups LDAP
.
[10] Session Start
[10] New request Session, context 0x00007fd725a33da8, reqType = Group List Search
[10] Fiber started
[10] Creating LDAP context with uri=ldap://172.16.100.10:389
[10] Connect to LDAP server: ldap://172.16.100.10:389, status = Successful
[10] supportedLDAPVersion: value = 3
[10] supportedLDAPVersion: value = 2
[10] Binding as ldap_ad
[10] Performing Simple authentication for ldap_ad to 172.16.100.10
[10] LDAP Search:
Base DN = [OU=xxxx,DC=valab,DC=local]
Filter = [(&(objectclass=group)(cn=*))]
Scope = [SUBTREE]
[10] Processing received group names
[10] Search found 4 unique group names
[10] Fiber exit Tx=304 bytes Rx=1049 bytes, status=1
[10] Session End

Server Group LDAP
Group list retrieved successfully
Number of Active Directory Groups 4
Contractor
Crew
Customer
HR

MHM Cisco World · ‎06-14-2022

add this command

authorization-server-group LDAP-Server

Arun2022 · ‎06-14-2022

@MHM Cisco World I tried this it didn't make a difference.

MHM Cisco World · ‎06-14-2022

change must done

*map-name memberOf Group-Policy

**authorization-required

***authorization-server-group LDAP-Server

please share the ldap 255 after these change

Arun2022 · ‎06-15-2022

@MHM Cisco World I rectified the case sensitivity on the map-name and made the relevant changes. However, in the debugs I still can't see the "mapped to" field. Please find the attached file.

Arun2022 · ‎06-15-2022

@MHM Cisco World

I reconfigured the vpn once again. I've managed to restrict logins only to users associated with the groups specified in the ldap attributes.
I revisited the documents and observed that there are spaces in the ldap-base-dn & ldap-login-dn that I missed.
Now issue is that I am unable to bind it to a specific profile. "hr_user" can connect to both HR-profile & Crew-profile.

I really appreciate your support on this one.

==============================
VPN# sh run group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy crew internal
group-policy crew attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value valab.local
address-pools value crew-pool
group-policy hr internal
group-policy hr attributes
dns-server value 172.16.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value valab.local
address-pools value hr-pool

VPN# sh run tunnel
tunnel-group HR-profile type remote-access
tunnel-group HR-profile general-attributes
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group HR-profile webvpn-attributes
group-alias HR-profile enable
tunnel-group Crew-profile type remote-access
tunnel-group Crew-profile general-attributes
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group Crew-profile webvpn-attributes
group-alias Crew-profile enable

VPN# sh run aaa-server
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.100.10
ldap-base-dn DC=valab, DC=local
ldap-group-base-dn OU=xxxx, DC=valab, DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_ad, OU=xxxx, DC=valab, DC=local
server-type microsoft
ldap-attribute-map LDAP_ANYCONNECT_MAP

VPN# sh run ldap
ldap attribute-map LDAP_ANYCONNECT_MAP
map-name memberOf Group-Policy
map-value memberOf CN=Crew,OU=xxxx,DC=valab,DC=local crew
map-value memberOf CN=HR,OU=xxxx,DC=valab,DC=local hr

VPN# show vpn-sessiondb det anyconnect

Session Type: AnyConnect Detailed

Username : hr_user Index : 51705
Assigned IP : 192.168.14.10 Public IP : 192.168.50.100
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 14502 Bytes Rx : 3965
Pkts Tx : 11 Pkts Rx : 12
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : hr Tunnel Group : Crew-profile
Login Time : 05:55:45 UTC Thu Jun 16 2022
Duration : 0h:00m:24s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8e6810c9f900062aac5e1
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

[41] Session Start
[41] New request Session, context 0x00007f68ae01a7c8, reqType = Other
[41] Fiber started
[41] Creating LDAP context with uri=ldap://172.16.100.10:389
[41] Connect to LDAP server: ldap://172.16.100.10:389, status = Successful
[41] supportedLDAPVersion: value = 3
[41] supportedLDAPVersion: value = 2
[41] Binding as ldap_ad
[41] Performing Simple authentication for ldap_ad to 172.16.100.10
[41] LDAP Search:
Base DN = [DC=valab, DC=local]
Filter = [sAMAccountName=hr_user]
Scope = [SUBTREE]
[41] User DN = [CN=hr_user,OU=xxxx,DC=valab,DC=local]
[41] Talking to Active Directory server 172.16.100.10
[41] Reading password policy for hr_user, dn:CN=hr_user,OU=xxxx,DC=valab,DC=local
[41] Read bad password count 0
[41] LDAP Search:
Base DN = [DC=valab, DC=local]
Filter = [sAMAccountName=hr_user]
Scope = [SUBTREE]
[41] Retrieved User Attributes:
[41] objectClass: value = top
[41] objectClass: value = person
[41] objectClass: value = organizationalPerson
[41] objectClass: value = user
[41] cn: value = hr_user
[41] givenName: value = hr_user
[41] distinguishedName: value = CN=hr_user,OU=xxxx,DC=valab,DC=local
[41] instanceType: value = 4
[41] whenCreated: value = 20220610080855.0Z
[41] whenChanged: value = 20220610080855.0Z
[41] displayName: value = hr_user
[41] uSNCreated: value = 16468
[41] memberOf: value = CN=HR,OU=xxxx,DC=valab,DC=local
[41] mapped to Group-Policy: value = hr
[41] mapped to LDAP-Class: value = hr
[41] uSNChanged: value = 16473
[41] name: value = hr_user
[41] objectGUID: value = ..iW..NA.].#..h.
[41] userAccountControl: value = 66048
[41] badPwdCount: value = 0
[41] codePage: value = 0
[41] countryCode: value = 0
[41] badPasswordTime: value = 0
[41] lastLogoff: value = 0
[41] lastLogon: value = 0
[41] pwdLastSet: value = 132993221353167423
[41] primaryGroupID: value = 513
[41] objectSid: value = ..............U...$.....T...
[41] accountExpires: value = 9223372036854775807
[41] logonCount: value = 0
[41] sAMAccountName: value = hr_user
[41] sAMAccountType: value = 805306368
[41] userPrincipalName: value = hr_user@valab.local
[41] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=valab,DC=local
[41] dSCorePropagationData: value = 16010101000000.0Z
[41] Fiber exit Tx=555 bytes Rx=4120 bytes, status=1
[41] Session End

==============================