Solved: Cisco AnyConnect Dynamic Access Policies

eric.mofammere · ‎02-26-2017

Hi all,

Cisco ASA running 9.2(3)

I am configuring Anyconnect VPN using Dynamic Access Policies and I have configured AAA LDAP against Windows Active Directory and this is working fine. What I would like to do is setup some granularity and create AD groups that give network access to particular network resources.

e.g I create an AD group called "Contractors", put my authorized users in that, create a DAP policy that has a network ACL configured that says:

permit from VPN pool access to an object-group that contains servers that my contractors work on.

Everything is working OK in terms of applying the correct policy to the correct user, but the problem is that all users who have VPN access always have full access to all network resources. e.g. all authenticated users can always SSH,RDP or telnet to all servers on the VPN.

I think I somehow need an implicity deny, or perhaps I could create a DAP ACL deny all policy. I have tried creating a deny all DAP, with a "Deny Any Any" ACL and giving that a low priority etc but nothing seems to work.

How do i make sure that my contractors only have access to the servers i've allowed them access to on the DAP ACL.

Philip D'Ath · ‎02-27-2017

See what "debug dap trace" produces.

View solution in original post

Philip D'Ath · ‎02-26-2017

If a user matches no DAP policy - what rights do they have? Basically you want users to have no rights be default (or only rights that you want every user to have), and then use DAP to add on rights.

Also make sure you have the below command, otherwise VPN users can access everything by default.

no sysopt connection permit-vpn

eric.mofammere · ‎02-27-2017

@Philip D'Ath

I tried using this command and basically all my VPNs stopped working.

Philip D'Ath · ‎02-27-2017

That means you don't have access rules to allow the vpn traffic.

eric.mofammere · ‎02-27-2017

I have the following DAPs defined for each user group on AD. They are supposed to give each AD group access to a specific resource on my network.

dynamic-access-policy-record DfltAccessPolicy
network-acl GR-SI-VPN-deny
dynamic-access-policy-record Group1
network-acl Group1
dynamic-access-policy-record Group2
network-acl Group2
dynamic-access-policy-record Group3
network-acl Group3
dynamic-access-policy-record Group4
network-acl Group4

Philip D'Ath · ‎02-27-2017

You are missing the most key bit of my post.

If you have "sysopt connection permit-vpn" (by not specifying "no sysopt connection permit-vpn") then all access lists are bypassed for VPN connections. The VPNs have unrestricted access.

You need to specify "no sysopt connection permit-vpn" and then control access for all VPNs using access-lists.

eric.mofammere · ‎02-27-2017

@Philip D'Ath

When i apply the "no sysopt connection permit-vpn" command the VPN connects successfully, however the users can't connect to any resources on the network even with those DAPs in place.

Philip D'Ath · ‎02-27-2017

What appears in the log? It sounds like DAP might not be matching then.

Philip D'Ath · ‎02-27-2017

See what "debug dap trace" produces.

Rahul Govindan · ‎02-27-2017

Do you have the users matching multiple DAP rules? The DAP acl for all the matching rules get applied for a user. Also the order of the rules matter as the multiple acls are applied in the order of the rules. If you have just one rule and the user matches that, he/she should be be filtered based on that rule alone.

eric.mofammere · ‎02-27-2017

@Rahul Govindan

I have a DAP ACL for each AD group,so no one user belongs to multiple groups.

The issue is that even though i defined specific DAP ACLs for each of the groups, It's not working as all the users in different AD groups are able to connect to everything. It almost seems as if the DAP ACLs are being bypassed.

eric.mofammere · ‎02-28-2017

@Philip D'Ath thanks a lot! Everything is working.