Cisco ASA - Using DAP with LDAP to authenticate or deny users vpn access

beaujames05 · ‎09-25-2018

I have created an LDAP connection with our domain controller and can successfully authenticate. I have 3 different tunnel groups that are tied to one general anyconnect group-policy. The 3 groups that I am working with are Network Operations, Sales, and Outside Plant.

I am using dynamic access policies to map the AD group with the tunnel-group to issue out the correct split-tunnel ACL for that group. This functions properly.

However, what issue I am running into is this.

vpnuser is a test account that only exists in NetworkDeviceAccess. This AD group is a memberOf in the DAP policy for Network Operations.

The sales DAP AD group is vpnAccess and the test user vpnuser does not exist in that group, but the DAP specifies only the vpnAccess memberOf. The DAP specifies that ALL conditions must be met, but vpnuser is allowed to login to the sales DAP even though it doesn't exist in the AD group specified in the DAP rule.

What am I missing?

Rahul Govindan · ‎09-25-2018

Can you provide a screenshot of the DAP Edit Policy screen for the Network Operations and Sales DAP policies?

Also, run "debug dap trace" on the CLI when testing with this user and post results here if possible. This should show the DAP processing logic and attributes returned by the user.

beaujames05 · ‎09-26-2018

RAVPN-ASA# test aaa-server authentication LDAP_VPN_AUTH host 192.168.18.10 use$
Password: ****************
INFO: Attempting Authentication test to IP address (192.168.18.10) (timeout: 12 seconds)

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00002aaac8d267e8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldap://192.168.18.10:389
[-2147483641] Connect to LDAP server: ldap://192.168.18.10:389, status = Successful
[-2147483641] supportedLDAPVersion: value = 3
[-2147483641] supportedLDAPVersion: value = 2
[-2147483641] LDAP server 192.168.18.10 is Active directory
[-2147483641] Binding as corp\ravpn
[-2147483641] Performing Simple authentication for corp\ravpn to 192.168.18.10
[-2147483641] LDAP Search:
Base DN = [dc=corp,dc=xxxx,dc=net]
Filter = [sAMAccountName=vpnuser]
Scope = [SUBTREE]
[-2147483641] User DN = [CN=vpnuser,OU=Special Accounts,OU=xxxx,DC=corp,DC=xxxxx,DC=net]
[-2147483641] Talking to Active Directory server 192.168.18.10
[-2147483641] Reading password policy for vpnuser, dn:CN=vpnuser,OU=Special Accounts,OU=xxxx,DC=corp,DC=xxxx,DC=net
[-2147483641] Read bad password count 5
[-2147483641] Binding as vpnuser
[-2147483641] Performing Simple authentication for vpnuser to 192.168.18.10
[-2147483641] Processing LDAP response for user vpnuser
[-2147483641] Message (vpnuser):
[-2147483641] Authentication successful for vpnuser to 192.168.18.10
[-2147483641] Retrieved User Attributes:
[-2147483641] objectClass: value = top
[-2147483641] objectClass: value = person
[-2147483641] objectClass: value = organizationalPerson
[-2147483641] objectClass: value = user
[-2147483641] cn: value = vpnuser
[-2147483641] givenName: value = vpnuser
[-2147483641] distinguishedName: value = CN=vpnuser,OU=Special Accounts,OU=XXXX,DC=corp,DC=XXXX,DC=ne
[-2147483641] instanceType: value = 4
[-2147483641] whenCreated: value = 20180925135505.0Z
[-2147483641] whenChanged: value = 20180925135639.0Z
[-2147483641] displayName: value = vpnuser
[-2147483641] uSNCreated: value = 37791987
[-2147483641] memberOf: value = CN=NetworkDeviceAccess,OU=Special Groups,OU=XXXX Groups,DC=corp,DC=cv
[-2147483641] uSNChanged: value = 37792033
[-2147483641] name: value = vpnuser
[-2147483641] objectGUID: value = .M.l...E.(."7*..
[-2147483641] userAccountControl: value = 66048
[-2147483641] badPwdCount: value = 5
[-2147483641] codePage: value = 0
[-2147483641] countryCode: value = 0
[-2147483641] badPasswordTime: value = 131824523421933940
[-2147483641] lastLogoff: value = 0
[-2147483641] lastLogon: value = 0
[-2147483641] pwdLastSet: value = 131823573060618012
[-2147483641] primaryGroupID: value = 513
[-2147483641] objectSid: value = ..............D.v..4&:+.....
[-2147483641] accountExpires: value = 9223372036854775807
[-2147483641] logonCount: value = 0
[-2147483641] sAMAccountName: value = vpnuser
[-2147483641] sAMAccountType: value = 805306368
[-2147483641] userPrincipalName: value = vpnuser@corp.xxxx.net
[-2147483641] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=xxxx,DC=net
[-2147483641] dSCorePropagationData: value = 16010101000000.0Z
[-2147483641] lastLogonTimestamp: value = 131823573996961008
[-2147483641] Fiber exit Tx=605 bytes Rx=2797 bytes, status=1
[-2147483641] Session End
INFO: Authentication Successful

DAP_TRACE: DAP_close: 6
DAP_TRACE: DAP_open: New DAP Request: 7
DAP_TRACE: aaa["cisco"]["username"] = "vpnuser"
DAP_TRACE: aaa["ldap"]["memberOf"] = "NetworkDeviceAccess"
DAP_TRACE: aaa["cisco"]["tunnelgroup"] = "TG_ANYCONNECT_NET_OP"
DAP_TRACE: Selected DAPs: ,DAP_ANYCONNECT_NET_OP
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: DAP_close: 7

RAVPN-ASA#
RAVPN-ASA# DAP_TRACE: DAP_open: New DAP Request: 8
DAP_TRACE: aaa["cisco"]["username"] = "vpnuser"
DAP_TRACE: aaa["ldap"]["memberOf"] = "VPN_Users"
DAP_TRACE: aaa["cisco"]["tunnelgroup"] = "TG_ANYCONNECT_SALES"
DAP_TRACE: Selected DAPs: ,DAP_ANYCONNECT_SALES
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: DAP_close: 8

Rahul Govindan · ‎09-28-2018

Strange. Can you get the output of "debug menu dap 2" from the ASA?