01-25-2015 08:20 PM - edited 02-21-2020 08:02 PM
Hi all,
My currently situation is like this:
I want to allow one group to access,default is block;
but in fact,if i do not apply noaccess to default-group-policy,all users in AD can access;
if i apply noaccess to default-group-policy,all users in AD can not access,via debug ldap 255,i find Account authentication success,
==========================================================
ldap attribute-map abc
map-name memberOf IETF-Radius-Class
map-value memberOf CN=sslgroup,OU=SSLVPN,DC=abcdef,DC=cn sslvpn
==========================================================
aaa-server AD protocol ldap
aaa-server AD (Inside-A) host 192.168.0.23
ldap-base-dn dc=abcdef,dc=cn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator,cn=users,dc=acdef,dc=cn
server-type microsoft
ldap-attribute-map abc
==========================================================
tunnel-group sslvpn general-attributes
authentication-server-group AD
default-group-policy NOACCESS
==========================================================
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
==========================================================
debug ldap 255
[855169] Session Start
[855169] New request Session, context 0xae8c1b0c, reqType = Authentication
[855169] Fiber started
[855169] Creating LDAP context with uri=ldap://192.168.0.23:389
[855169] Connect to LDAP server: ldap://192.168.0.23:389, status = Successful
[855169] supportedLDAPVersion: value = 3
[855169] supportedLDAPVersion: value = 2
[855169] Binding as Administrator
[855169] Performing Simple authentication for Administrator to 192.168.0.23
[855169] LDAP Search:
Base DN = [dc=BCDEF,dc=cn]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[855169] User DN = [CN=test,OU=SSLVPN,DC=abcdef,DC=cn]
[855169] Talking to Active Directory server 192.168.0.23
[855169] Reading password policy for test, dn:CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169] Read bad password count 0
[855169] Binding as test
[855169] Performing Simple authentication for test to 192.168.0.23
[855169] Processing LDAP response for user test
[855169] Message (test):
[855169] Authentication successful for test to 192.168.0.23
[855169] Retrieved User Attributes:
[855169] objectClass: value = top
[855169] objectClass: value = person
[855169] objectClass: value = organizationalPerson
[855169] objectClass: value = user
[855169] cn: value = test
[855169] sn: value = test
[855169] distinguishedName: value = CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169] instanceType: value = 4
[855169] whenCreated: value = 20150124015828.0Z
[855169] whenChanged: value = 20150125151439.0Z
[855169] displayName: value = test
[855169] uSNCreated: value = 33195
[855169] uSNChanged: value = 33454
[855169] name: value = test
[855169] objectGUID: value = A.....JI..q....o
[855169] userAccountControl: value = 66048
[855169] badPwdCount: value = 0
[855169] codePage: value = 0
[855169] countryCode: value = 0
[855169] badPasswordTime: value = 130666713259896661
[855169] lastLogoff: value = 0
[855169] lastLogon: value = 130666714272834597
[855169] pwdLastSet: value = 130666723870003524
[855169] primaryGroupID: value = 1117
[855169] objectSid: value = .............tAgx.xg..@*^...
[855169] accountExpires: value = 9223372036854775807
[855169] logonCount: value = 0
[855169] sAMAccountName: value = test
[855169] sAMAccountType: value = 805306368
[855169] userPrincipalName: value = test@abcdef.cn
[855169] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abdef,DC=cn
[855169] dSCorePropagationData: value = 20150124015828.0Z
[855169] dSCorePropagationData: value = 16010101000000.0Z
[855169] lastLogonTimestamp: value = 130665396384085673
[855169] Fiber exit Tx=533 bytes Rx=2453 bytes, status=1
[855169] Session End
Thanks in advance!
01-26-2015 07:18 AM
I found the reason !
11-30-2016 11:47 AM
Hello Jing:
I have the same problem.....can you please help me?
Thanks in advance,
Fabián
11-30-2016 09:32 PM
could I have a look your relevant configuration of the device ?
12-01-2016 04:24 AM
Of course. I have two vpn access, one with anyconnect client (works fine) and the ssl clientless access.
Here are the config:
###### I use this for Anyconnect access #########
aaa-server LDAP-BOSCH protocol ldap
aaa-server LDAP-BOSCH (inside) host 192.168.3.208
ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
ldap-scope subtree
ldap-naming-attribute sn
ldap-login-password *****
ldap-login-dn cn=ldapadmin,dc=calculate
server-type auto-detect
ldap-attribute-map ASAMap
#########I use this for ssl clientless access #############
aaa-server LDAP-Clientless protocol ldap
aaa-server LDAP-Clientless (inside) host 192.168.3.208
ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
ldap-scope subtree
ldap-naming-attribute sn
ldap-login-password *****
ldap-login-dn cn=ldapadmin,dc=calculate
server-type microsoft
ldap-attribute-map ASAMap_Clientless
Here are the ldap-attribute-map:
ldap attribute-map ASAMap
map-name audio IETF-Radius-Class
map-value audio VPN GroupPolicy_VPN_SSL
ldap attribute-map ASAMap_Clientless
map-name audio IETF-Radius-Class
map-value audio VPN Clientless_ssl_GrpPolicy
I define this two Group Policy:
group-policy NOACCESS internal
group-policy NOACCESS attributes
wins-server none
dns-server value 192.168.3.254
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-lock none
default-domain value seguroamericano.com.uy
group-policy NOACCESS_SSLClientless internal
group-policy NOACCESS_SSLClientless attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-clientless
group-lock none
group-policy GroupPolicy_VPN_SSL internal
group-policy GroupPolicy_VPN_SSL attributes
wins-server none
dns-server value 192.168.3.254
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SEGURO_splitTunnelAcl
default-domain value seguroamericano.com.uy
group-policy Clientless_ssl_GrpPolicy internal
group-policy Clientless_ssl_GrpPolicy attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-clientless
default-domain value seguroamericano.com.uy
webvpn
url-list value MERCURY
anyconnect ask none default webvpn
Here are my tunnel groups:
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP-Clientless
default-group-policy Clientless_ssl_GrpPolicy
tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
address-pool VPN_SEGURO_SSL
authentication-server-group LDAP-BOSCH
authorization-server-group LDAP-BOSCH
default-group-policy NOACCESS
tunnel-group VPN_SSL webvpn-attributes
group-alias SSL disable
group-alias SSL- disable
group-alias VPN disable
group-alias VPN_SSL enable
tunnel-group SSL_Clientless type remote-access
tunnel-group SSL_Clientless general-attributes
authentication-server-group LDAP-Clientless
authorization-server-group LDAP-Clientless
default-group-policy Clientless_ssl_GrpPolicy
authorization-required
tunnel-group SSL_Clientless webvpn-attributes
group-alias SSL_Clientless enable
group-url https://segurobackup.no-ip.org/SeguroAmericano enable
When I change in the tunnel-group "SSL_Clientless" , the default-group-policy from "Clientless_ssl_GrpPolicy" to "NOACCESS_SSLClientless " I cannot log in.
Thanks for your reply.
Regards,
Fabián
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: