07-12-2017 09:17 AM
I have a remote access vpn that works fine but I need to restrict access to only one active directory group, I have configured the following but any AD user can connect, the AD group to which I want to limit the connection to the vpn is UsersVpn Can someone help me solve this?
ldap attribute-map VPN_MAP
map-name memberOf Group-Policy
map-value memberOf cn=UsersVpn,ou=JDLPVpn,dc=fjdlp,dc=com permit-vpn
aaa-server LDAP_JDLP protocol ldap
aaa-server LDAP_JDLP (inside) host 192.168.10.237
ldap-base-dn DC=fjdlp,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrador,cn=Users,dc=fjdlp,dc=com
server-type microsoft
ldap-attribute-map VPN_MAP
07-12-2017 12:37 PM
The above configuration only assigns the group-policy "permit-vpn" to the users in the AD group UsersVpn. Anyone not in that group will get assigned the default-group-policy that is assigned to the tunnel-group. In order to restrict those users, your default-group-policy should be something other than "permitvpn" (like NoAccess) and the "vpn-simultaneous-logins" set to 0. "permitvpn" should have this value set to 3.
Example for this is given here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15
07-12-2017 01:41 PM
Hello
I currently have this group policy which is the default
group-policy GroupPolicy_JARDINES-RA internal
group-policy GroupPolicy_JARDINES-RA attributes
wins-server none
dns-server value 192.168.10.237
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Jardines-red
default-domain none
Then what I should do is change to this policy so that nobody can connect and create a new one so that only users who are in the "UsersVpn" group can connect
group-policy GroupPolicy_JARDINES-RA internal
group-policy GroupPolicy_JARDINES-RA attributes
vpn-simultaneous-logins 0
group-policy permit-vpn internal
group-policy permit-vpn attributes
wins-server none
dns-server value 192.168.10.237
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Jardines-red
default-domain none
07-13-2017 05:11 AM
Yes, you are correct. This is considering that "GroupPolicy_JARDINES-RA" is the default-group-policy under the tunnel-group.
07-14-2017 11:19 AM
Hello
Make the changes and now no user can connect, when placing the credentials in anyconnect send password error message, both users who are added to the group and those who are not in the group
07-17-2017 02:26 PM
Run a "debug ldap 255" on the ASA when testing this to see if they are being assigned to the right Group-policy.
07-17-2017 04:00 PM
Hello
Thank you very much for your help, the problem was the upper and lower case, change it and now it works well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide