02-15-2016 11:08 AM
Hello, I have configured remote access vpn on asa with ldap authentication. But I can't limit vpn access with specific ldap group.
Here is my config:
aaa-server AZPBTDC01 (DC_Internal) host 192.168.10.250
ldap-base-dn dc=company, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Netuser, ou=Services users, ou=ASM HQ, dc=company, dc=com
server-type microsoft
ldap-attribute-map AZPBTDC01
ldap attribute-map AZPBTDC01
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=ASM Group,OU=ASM HQ,DC=company,DC=com" RA_ADMIN_GP
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
address-pools none
group-policy RA_ADMIN_GP internal
group-policy RA_ADMIN_GP attributes
dns-server value 192.168.10.251
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSEC_RA_ACL_ADMIN
tunnel-group DefaultRAGroup general-attributes
default-group-policy NOACCESS
tunnel-group IPSEC_RA_ADMIN type remote-access
tunnel-group IPSEC_RA_ADMIN general-attributes
authentication-server-group AZPBTDC01 LOCAL
authorization-server-group AZPBTDC01
default-group-policy RA_ADMIN_GP
The problem is, all domen users can connect to vpn. ASA does not filter group assignment, non VPN_Admin group users can connect, but thet should not be able to connect.
Solved! Go to Solution.
02-15-2016 11:59 AM
While it is possible to make that approach work, I wouldn't do it that way. Instead use DAP (Dynamic Access Policy).
The instructions for it are here:
Search for "Active Directory group" to jump directly to the relevant section. Note you may need two DAP policies. One to match users in VPN_Admin, and another default policy to deny access to everyone else.
Note for the default "deny" policy I often make it pop up a message to the end user saying they don't have VPN access and to contact xxx if they want to arrange it.
02-15-2016 01:50 PM
Hello,
If the users are connecting to the tunnel-group IPSEC_RA_ADMIN they will still have access because the default group policy on that connection profile is RA_ADMIN_GP.
You need to set the NOACCESS group policy to the IPSEC_RA_ADMIN, the mapping will be effective for the members of VPN_Admin and the rest of the users will be getting the NOACCESS group policy
configure this and test it out:
tunnel-group IPSEC_RA_ADMIN general-attributes
default-group-policy NOACCESS
Regards, please rate.
02-15-2016 11:59 AM
While it is possible to make that approach work, I wouldn't do it that way. Instead use DAP (Dynamic Access Policy).
The instructions for it are here:
Search for "Active Directory group" to jump directly to the relevant section. Note you may need two DAP policies. One to match users in VPN_Admin, and another default policy to deny access to everyone else.
Note for the default "deny" policy I often make it pop up a message to the end user saying they don't have VPN access and to contact xxx if they want to arrange it.
02-17-2016 10:06 PM
Hello Philip,
I will try your solution also. For now Diego's answer is right. Thank you for your all.
02-15-2016 01:50 PM
Hello,
If the users are connecting to the tunnel-group IPSEC_RA_ADMIN they will still have access because the default group policy on that connection profile is RA_ADMIN_GP.
You need to set the NOACCESS group policy to the IPSEC_RA_ADMIN, the mapping will be effective for the members of VPN_Admin and the rest of the users will be getting the NOACCESS group policy
configure this and test it out:
tunnel-group IPSEC_RA_ADMIN general-attributes
default-group-policy NOACCESS
Regards, please rate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide