Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
3
Replies

ASA SSL VPN Group policy mapping via Active directory

Go to solution
meidanmeshulam
Level 1
Level 1

‎05-18-2021 07:42 AM

Hi everyone,

I got a VPN question, I'm looking at the next configuration:
group-policy "nomfa-Support, ou=VPNUsers" internal
group-policy "nomfa-Support, ou=VPNUsers" attributes
banner aaaabbbbccccddddeeeeffff
dns-server value 10.132.4.186 10.134.27.11
vpn-filter value RA_SCB_SUPPORT
vpn-tunnel-protocol ssl-client

Is this something that supposed to work without the tunnel mapping ?
there is no tunnel configuration that will use the group policy, at least not in the "sh run" and as far as I know, there should be. For example if we look at this group policy:
group-policy "HCL, ou=VPNUsers" internal
group-policy "HCL, ou=VPNUsers" attributes
vpn-filter value RA_VEN_HCL
vpn-tunnel-protocol ssl-client
webvpn
anyconnect profiles value HCLProfile type user

 
we can also find a tunnel that uses this policy:
tunnel-group HCLGroup type remote-access
tunnel-group HCLGroup general-attributes
authentication-server-group RADIUS_GROUP
accounting-server-group RADIUS_GROUP
default-group-policy "HCL, ou=VPNUsers"
tunnel-group HCLGroup webvpn-attributes
proxy-auth sdi

Thanks a lot !

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to meidanmeshulam

‎05-18-2021 08:43 AM

@meidanmeshulam 

Only by checking the users sessions using "show vpn-sessiondb detail anyconnect" which will show group-policy applied to the active users session. There is no other way of confirming the group-policy is in use on the ASA, that I know of.


You should check the configuration of the RADIUS server to confirm.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-18-2021 07:58 AM

@meidanmeshulam 

If the group-policy is not explictly called by a tunnel-group, it could be applied dynamically via the RADIUS server.

You'd use "Class = ou=<GROUP-POLICY-NAME>"

0 Helpful

Go to solution
meidanmeshulam
Level 1
Level 1
In response to Rob Ingram

‎05-18-2021 08:27 AM

Thank you for your answer, Is there a way to see that dynamic mapping on
the asa itself ?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to meidanmeshulam

‎05-18-2021 08:43 AM

@meidanmeshulam 

Only by checking the users sessions using "show vpn-sessiondb detail anyconnect" which will show group-policy applied to the active users session. There is no other way of confirming the group-policy is in use on the ASA, that I know of.


You should check the configuration of the RADIUS server to confirm.

0 Helpful
Customers Also Viewed These Support Documents