Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
4
Replies

Cisco ASA and LDAP Authentication for AnyConnect

jisaacs
Level 1
Level 1

‎11-15-2019 03:43 PM - edited ‎02-21-2020 09:48 PM

I am working on a configuration for LDAP authentication for AnyConnect on a Cisco ASA.  The LDAP command line test works using the CLI on the the loacl device by authentication fails when using the AnyConnect client.

 

#test aaa-server authentication corp_ldap username vpn-testuser password xxxxxxx

 

I've determined the issue is with the default-group-policy NOACCESS that is part of the tunnel-group profile.  If I remove the default-group-policy the AnyConnect client works. Using a "debug ldap 255" I can see that the LDAP authentication and policy mapping is taking place.

 

[88375] memberOf: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local
[88375] mapped to Group-Policy: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local
[88375] mapped to LDAP-Class: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local

 

I have checked and the

Is there some configuration item I am missing?

 

group-policy NOACCESS internal
group-policy NOACCESS attributes
    vpn-simultaneous-logins 0

 

tunnel-group developers type remote-access
tunnel-group developers general-attributes
    address-pool developers_pool
    authentication-server-group xyz_ldap
    default-group-policy NOACCESS
tunnel-group developers webvpn-attributes
    group-alias developers enable
    group-url https://developers.xyx.com enable

 

 

 

Labels:
0 Helpful
4 Replies 4

sacarlettleo04027
Level 1
Level 1

‎11-16-2019 02:56 AM

Sorted out your issue?

Black Friday sale 2019
0 Helpful

Rob Ingram
VIP
VIP

‎11-16-2019 04:45 AM

Hi,
AnyConnect works when you don't use the group-policy NOACCESS because if no group-policy is defined it would use the group-policy called "DfltGrpPolicy". This default policy is permitting "vpn-simultaneous-logins" of 3 whereas your NOACCESS policy is set to 0, so no connections will be permitted. Your policy does not appear not to have any VPN protocols defined (IKEv2, SSL Client etc) without a VPN protocol no connections will be permitted.

 

Either modify your existing NOACCESS policy, carry on using the default policy or create a new policy - ensure the following is defined.

 

vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

 

HTH

0 Helpful

jisaacs
Level 1
Level 1
In response to Rob Ingram

‎11-17-2019 07:18 AM

Thanks,

 

I can see that the the policy NOACESS is not allowing the AnyConnect client to connect.  But an i misunderstanding the the tunnel-group configuration I have.

I have the tunnel-group set to "authentication-server-group xyz_ldap". I see this successfully happening with a debug ldap 255 and it is assigning the group-policy "Developers".

 

[88375] memberOf: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local
[88375] mapped to Group-Policy: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local
[88375] mapped to LDAP-Class: value = CN=Developers,OU=Resources,OU=Groups,OU=XYZ,DC=CORP,DC=AD,DC=local

 

tunnel-group developers type remote-access
tunnel-group developers general-attributes
address-pool developers_pool
authentication-server-group xyz_ldap
default-group-policy NOACCESS
tunnel-group developers webvpn-attributes
group-alias developers enable
group-url https://developers.xyx.com enable

 

I have taking the NOACESS policy from the following Cisco doc which says,

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

From the Cisco doc.

Configure a NOACCESS Group-policy

You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

 

Thanks,

 

J

 

0 Helpful

jisaacs
Level 1
Level 1
In response to Rob Ingram

‎11-20-2019 02:12 PM

I have been looking over similar issues in this forum for LDAP authentication with a NOACCESS default policy.  Many time the solution is to make sure the vpn-simultaneous-logins is not inherited within the group-policy being assigned.  I have confirmed that this value is not being inherited.  Are there any other values that need to be set?

 

ldap attribute-map  devLDAP
   map-name memberOf Group-Policy
   map-value memberOf "memberOf CN=VPN-Developers,OU=Resources,OU=Groups,OU=xyz,DC=CORP,DC=AD,DC=local
   GroupPolicy_developers"


group-policy NOACCESS internal
group-policy NOACCESS attributes
   vpn-simultaneous-logins 0

 
group-policy GroupPolicy_developers internal
group-policy GroupPolicy_developers attributes
   wins-server none
   dns-server value 10.50.100.10 10.40.65.103
   vpn-simultaneous-logins 4
   vpn-tunnel-protocol ssl-client ssl-clientless
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value developers
   default-domain value corp.xyz.local

 

Thanks,

 

J

0 Helpful
Customers Also Viewed These Support Documents