Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
1
Replies

Cisco Anyconnect and using Dynamic policies to add to security

Richard Tapp
Level 1
Level 1

‎03-02-2016 04:16 AM - edited ‎02-21-2020 08:42 PM

I am currently testing Anyconnect. My company does not want to have the expense

of a 2 factor authentication for all users (as this will only be a temp solution)

So I have been trying this -.

1/ AD authenticated primary login . This works fine.

2/ Use an AD group check in a dynamic policy to see if the user is allowed to proceed.

The dynamic part is not working, I have been using this link to try it.

http://qfina.blogspot.co.uk/2013/10/active-directory-group-based.html

But as soon as I set the default policy to ‘terminate’ I can not log in.

One thing I have noticed, in CLI my policy looks like this –    

        

dynamic-access-policy-record Testing_2

network-acl Test_Any

priority 1

 

But in the GUI it is showing the two AAA attributes I have set (see attachment), is this correct ?

Labels:
Preview file
118 KB
0 Helpful
1 Reply 1

David Castro F.
Spotlight
Spotlight

‎03-04-2016 12:57 PM

Hello Richard,

I would recommend you setting up LDAP attribute mapping, and the "NO-ACCESS" group policy along with it in order to achieve what you want and it is simpler:

Configure a NOACCESS Group-policy

You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol IPSec webvpn

You must apply this group policy as a default group policy to the tunnel-group. This allows users who get a mapping from the LDAP attribute map, for example those who belong to a desired LDAP group, to get their desired group policies and users who do not get any mapping, for example those who do not belong to any of the desired LDAP groups, to get NOACCESS group-policy from the tunnel-group, which blocks the access for them.

Then you will need to configure the LDAP attribute Mapping to MAP the MemberOf to the group policy the user should connect to:

for example:

ldap attribute-map Class 
 map-name  memberOf Group-Policy
 map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup3
 map-value memberOf CN=Employees,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup2
 map-value memberOf CN=Engineering,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup1

so the users in "cisco-Eng" group will be mapped to ASAGroup3 Gorup policy, if a user does not belong to any of those groups, the user will be denied when trying to login.

Please rate and mark as correct this post, if it helped you! keep me posted if you have any questions!

David Castro,

0 Helpful
Customers Also Viewed These Support Documents