Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
6
Replies

ASA5508 - Restrict LDAP group access

salinas_42
Level 1
Level 1

‎07-12-2017 09:17 AM

I have a remote access vpn that works fine but I need to restrict access to only one active directory group, I have configured the following but any AD user can connect, the AD group to which I want to limit the connection to the vpn is UsersVpn Can someone help me solve this?

ldap attribute-map VPN_MAP
  map-name memberOf Group-Policy
  map-value memberOf cn=UsersVpn,ou=JDLPVpn,dc=fjdlp,dc=com permit-vpn
aaa-server LDAP_JDLP protocol ldap
aaa-server LDAP_JDLP (inside) host 192.168.10.237
 ldap-base-dn DC=fjdlp,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=administrador,cn=Users,dc=fjdlp,dc=com
 server-type microsoft
 ldap-attribute-map VPN_MAP

Labels:
0 Helpful
6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2017 12:37 PM

The above configuration only assigns the group-policy "permit-vpn" to the users in the AD group UsersVpn. Anyone not in that group will get assigned the default-group-policy that is assigned to the tunnel-group. In order to restrict those users, your default-group-policy should be something other than "permitvpn" (like NoAccess) and the "vpn-simultaneous-logins" set to 0. "permitvpn" should have this value set to 3.

Example for this is given here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

0 Helpful

salinas_42
Level 1
Level 1
In response to Rahul Govindan

‎07-12-2017 01:41 PM

Hello
I currently have this group policy which is the default

group-policy GroupPolicy_JARDINES-RA internal
group-policy GroupPolicy_JARDINES-RA attributes
 wins-server none
 dns-server value 192.168.10.237
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Jardines-red
 default-domain none

Then what I should do is change to this policy so that nobody can connect and create a new one so that only users who are in the "UsersVpn" group can connect

group-policy GroupPolicy_JARDINES-RA internal
group-policy GroupPolicy_JARDINES-RA attributes
 vpn-simultaneous-logins 0

group-policy permit-vpn internal
group-policy permit-vpn attributes
 wins-server none
 dns-server value 192.168.10.237
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Jardines-red
 default-domain none

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to salinas_42

‎07-13-2017 05:11 AM

Yes, you are correct. This is considering that "GroupPolicy_JARDINES-RA" is the default-group-policy under the tunnel-group.

0 Helpful

salinas_42
Level 1
Level 1
In response to Rahul Govindan

‎07-14-2017 11:19 AM

Hello
Make the changes and now no user can connect, when placing the credentials in anyconnect send password error message, both users who are added to the group and those who are not in the group

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to salinas_42

‎07-17-2017 02:26 PM

Run a "debug ldap 255" on the ASA when testing this to see if they are being assigned to the right Group-policy.

0 Helpful

salinas_42
Level 1
Level 1
In response to Rahul Govindan

‎07-17-2017 04:00 PM

Hello
Thank you very much for your help, the problem was the upper and lower case, change it and now it works well.

0 Helpful
Customers Also Viewed These Support Documents