09-29-2020 06:52 AM - edited 10-06-2020 07:46 AM
Hi,
I have an issue with VPN users authentication.
The problem is : if the user is member of a valid group policy , he can connect to any group policy.
here are my config : cisco ASA 9.13
ldap attribute-map Class
map-name memberOf Group-Policy
map-value memberOf CN=*******,CN=Users,DC=in,DC=ac-arcueil,DC=fr ***********
map-value memberOf CN=********,CN=Users,OU=stbu,DC=cisco,DC=com **************P
in "debug ldap 255" I can see :
Any idea please ?
Solved! Go to Solution.
09-30-2020 06:43 AM
AAA attribute = cisco.tunnelgroup
Operation/Value = <YOUR TUNNELGROUP>
combine that with
AAA attribute = ldap.memberOf
Operation/Value = LDAP Group
09-29-2020 07:31 AM - edited 09-29-2020 07:36 AM
Hi @sam cook
Do you have a group-policy configured with vpn-simultaneous-logins 0 ? This group-policy will be the default policy configured on the tunnel-group. Example:-
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
Your group-policies defined above would need to be explictly configured with vpn-simultaneous-logins greater than 0, otherwise they will inherit from the default group-policy which would deny.
Here is an example full config
HTH
09-29-2020 08:33 AM - edited 10-06-2020 07:47 AM
Thank you @Rob Ingram .
I made the modification you asked for , but I still get the same behaviour
the user j****** still could connect to any group despite he is only memeber of ******* LDAP group
Now I have this in my configuration :
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy ******* internal
group-policy ******** attributes
wins-server none
dns-server value 1***************
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain nonegroup-policy ************* internal
group-policy *****************attributes
wins-server none
dns-server value 1**********************2
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain none
09-29-2020 08:38 AM
What is your tunnel-group configuration? Have you referenced the NOACCESS group-policy under the tunnel-group?
tunnel-group TUNNEL-GROUP-NAME general-attributes
default-group-policy NOACCESS
09-29-2020 08:47 AM - edited 10-06-2020 07:48 AM
Should I use "default-group-policy NOACCESS" for all my tunnel groups ( ********* and ************* ?
09-29-2020 08:53 AM
Yes, because the LDAP attribute map is specifying to use "GroupPolicy_VPN_DAF" or "GroupPolicy_VPN_VIP" if a member of the correct group. If not a member of the group it will hit the default group-policy "NOACCESS" as defined under the tunnel-group, which will deny access.
09-29-2020 09:12 AM
I made the changes in configuration , so now i have :
ciscoasa# sho running-config tunnel-group
tunnel-group VPN_VIP type remote-access
tunnel-group VPN_VIP general-attributes
address-pool vip
authentication-server-group LDAP-AD
default-group-policy NOACCESS
tunnel-group VPN_VIP webvpn-attributes
group-alias VPN_VIP enable
tunnel-group VPN_DAF type remote-access
tunnel-group VPN_DAF general-attributes
address-pool daf
authentication-server-group LDAP-AD
default-group-policy NOACCESS
tunnel-group VPN_DAF webvpn-attributes
group-alias VPN_DAF enable
but now the user jsnow could not connect to any profile (DAF or VIP )
what's wrong in your opinion ?
09-29-2020 09:47 AM
Looking at your previous debugs youur LDAP group is incorrect.
map-value memberOf CN=vpn_daf,CN=Users,DC=in,DC=ac-arcueil,DC=fr GroupPolicy_VPN_DAF
map-value memberOf CN=vpn_vip,CN=Users,OU=stbu,DC=cisco,DC=com GroupPolicy_VPN_VIP
in "debug ldap 255" I can see :
memberOf: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac-arcueil,DC=fr
[135] mapped to Group-Policy: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=a c-arcueil,DC=fr
[135] mapped to LDAP-Class: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac- arcueil,DC=fr
09-30-2020 01:44 AM
Hi @Rob Ingram
thank you again for searching with me.
I created a new attribute-map with the right information :
(see attached)
and now jsnow can connect again to all profiles (DAF and VIP), whe he connect to VIP (he is normally not authorised to) I can see that he is saiigned to the right group policy (DAF) but bad tunnel group (VPN-VIP)
ned to the right group policy (DAF) but bad tunnel group (VPN-VIP)
(I omitted my public Ip)
(see attached)
In ldap debug I can see that he match the DAF grouppolicy:
memberOf: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac-arcueil,DC=fr
[170] mapped to Group-Policy: value = GroupPolicy_VPN_DAF
[170] mapped to LDAP-Class: value = GroupPolicy_VPN_DAF
in my config , default group is NOACCESS for all profiles :
(see attached)
and simultaneous login = 0
(see attached)
but for other groups it's = 3
(see attached)
ii still could not understand why it's not working
09-30-2020 01:58 AM - edited 10-06-2020 07:50 AM
previous attached files screenshots in these ursl :
***********
09-30-2020 02:46 AM
Ok I see what you are wanting now. The users are matching the correct group-policy, but they can connect to another tunnel-group, which you do not want. I've done this previously when using RADIUS, but not when using just LDAP.
You could probably use DAP to determine which tunnel-group the user is connecting from and then permit/deny if in the wrong AD group.
09-30-2020 06:37 AM - edited 10-06-2020 07:50 AM
I tried to configure DAP , so in selection criteria , i can select group_policy DAf, but in access/authorization i can't find how to select tunnel group . my goal is to prevent users in DAF group_policy from geting to VIP tunnel group.
09-30-2020 06:43 AM
AAA attribute = cisco.tunnelgroup
Operation/Value = <YOUR TUNNELGROUP>
combine that with
AAA attribute = ldap.memberOf
Operation/Value = LDAP Group
09-30-2020 07:14 AM
@Rob Ingram : it Wrork !!! you are a big Boss
09-30-2020 04:43 AM
Please go though below steps is properly configured or not ?
Configure a NOACCESS Group-policy
You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
You must apply this group policy as a default group policy to the tunnel-group. This allows users who get a mapping from the LDAP attribute map, for example those who belong to a desired LDAP group, to get their desired group policies and users who do not get any mapping, for example those who do not belong to any of the desired LDAP groups, to get NOACCESS group-policy from the tunnel-group, which blocks the access for them.
Tip: Since the vpn-simultaneous-logins attribute is set to 0 here, it must be explicitly defined in all the other group-policies as well; otherwise, it will be inherited from the default group-policy for that tunnel group, which in this case is the NOACCESS policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide