cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
0
Helpful
4
Replies
Highlighted
Beginner

Clientless SSL VPN - LDAP Authentication ,Only allow one group to access

Hi all,

My currently situation is like this:

I want to allow one group to access,default is block;

but in fact,if i do not apply noaccess to default-group-policy,all users in AD can access;

if i apply noaccess to default-group-policy,all users in AD can not access,via debug ldap 255,i find Account authentication success,

 

==========================================================

ldap attribute-map abc
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=sslgroup,OU=SSLVPN,DC=abcdef,DC=cn sslvpn

==========================================================

aaa-server AD protocol ldap
aaa-server AD (Inside-A) host 192.168.0.23
 ldap-base-dn dc=abcdef,dc=cn
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=administrator,cn=users,dc=acdef,dc=cn
 server-type microsoft
 ldap-attribute-map abc

==========================================================

tunnel-group sslvpn general-attributes
 authentication-server-group AD
 default-group-policy NOACCESS

==========================================================

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

==========================================================

debug ldap 255

[855169] Session Start
[855169] New request Session, context 0xae8c1b0c, reqType = Authentication
[855169] Fiber started
[855169] Creating LDAP context with uri=ldap://192.168.0.23:389
[855169] Connect to LDAP server: ldap://192.168.0.23:389, status = Successful
[855169] supportedLDAPVersion: value = 3
[855169] supportedLDAPVersion: value = 2
[855169] Binding as Administrator
[855169] Performing Simple authentication for Administrator to 192.168.0.23
[855169] LDAP Search:
        Base DN = [dc=BCDEF,dc=cn]
        Filter  = [sAMAccountName=test]
        Scope   = [SUBTREE]
[855169] User DN = [CN=test,OU=SSLVPN,DC=abcdef,DC=cn]
[855169] Talking to Active Directory server 192.168.0.23
[855169] Reading password policy for test, dn:CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169] Read bad password count 0
[855169] Binding as test
[855169] Performing Simple authentication for test to 192.168.0.23
[855169] Processing LDAP response for user test
[855169] Message (test):
[855169] Authentication successful for test to 192.168.0.23
[855169] Retrieved User Attributes:
[855169]        objectClass: value = top
[855169]        objectClass: value = person
[855169]        objectClass: value = organizationalPerson
[855169]        objectClass: value = user
[855169]        cn: value = test
[855169]        sn: value = test
[855169]        distinguishedName: value = CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169]        instanceType: value = 4
[855169]        whenCreated: value = 20150124015828.0Z
[855169]        whenChanged: value = 20150125151439.0Z
[855169]        displayName: value = test
[855169]        uSNCreated: value = 33195
[855169]        uSNChanged: value = 33454
[855169]        name: value = test
[855169]        objectGUID: value = A.....JI..q....o
[855169]        userAccountControl: value = 66048
[855169]        badPwdCount: value = 0
[855169]        codePage: value = 0
[855169]        countryCode: value = 0
[855169]        badPasswordTime: value = 130666713259896661
[855169]        lastLogoff: value = 0
[855169]        lastLogon: value = 130666714272834597
[855169]        pwdLastSet: value = 130666723870003524
[855169]        primaryGroupID: value = 1117
[855169]        objectSid: value = .............tAgx.xg..@*^...
[855169]        accountExpires: value = 9223372036854775807
[855169]        logonCount: value = 0
[855169]        sAMAccountName: value = test
[855169]        sAMAccountType: value = 805306368
[855169]        userPrincipalName: value = test@abcdef.cn
[855169]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abdef,DC=cn
[855169]        dSCorePropagationData: value = 20150124015828.0Z
[855169]        dSCorePropagationData: value = 16010101000000.0Z
[855169]        lastLogonTimestamp: value = 130665396384085673
[855169] Fiber exit Tx=533 bytes Rx=2453 bytes, status=1
[855169] Session End

 

Thanks in advance!

4 REPLIES 4
Highlighted
Beginner

I found the reason !

Highlighted

Hello Jing:

I have the same problem.....can you please help me?

Thanks in advance,

Fabián

Highlighted

could I have a look your relevant configuration of the device ?

Highlighted

Of course. I have two vpn access, one with anyconnect client (works fine) and the ssl clientless access.

Here are the config:

###### I use this for Anyconnect access #########

aaa-server LDAP-BOSCH protocol ldap
aaa-server LDAP-BOSCH (inside) host 192.168.3.208
 ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
 ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
 ldap-scope subtree
 ldap-naming-attribute sn
 ldap-login-password *****
 ldap-login-dn cn=ldapadmin,dc=calculate
 server-type auto-detect
 ldap-attribute-map ASAMap

#########I use this for ssl clientless access #############


aaa-server LDAP-Clientless protocol ldap
aaa-server LDAP-Clientless (inside) host 192.168.3.208
 ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
 ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
 ldap-scope subtree
 ldap-naming-attribute sn
 ldap-login-password *****
 ldap-login-dn cn=ldapadmin,dc=calculate
 server-type microsoft
 ldap-attribute-map ASAMap_Clientless

Here are the ldap-attribute-map:

ldap attribute-map ASAMap
  map-name  audio IETF-Radius-Class
  map-value audio VPN GroupPolicy_VPN_SSL


ldap attribute-map ASAMap_Clientless
  map-name  audio IETF-Radius-Class
  map-value audio VPN Clientless_ssl_GrpPolicy

I define this two Group Policy:

group-policy NOACCESS internal
group-policy NOACCESS attributes
 wins-server none
 dns-server value 192.168.3.254
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client
 group-lock none
 default-domain value seguroamericano.com.uy

group-policy NOACCESS_SSLClientless internal
group-policy NOACCESS_SSLClientless attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-clientless
 group-lock none

group-policy GroupPolicy_VPN_SSL internal
group-policy GroupPolicy_VPN_SSL attributes
 wins-server none
 dns-server value 192.168.3.254
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SEGURO_splitTunnelAcl
 default-domain value seguroamericano.com.uy

group-policy Clientless_ssl_GrpPolicy internal
group-policy Clientless_ssl_GrpPolicy attributes
 wins-server none
 dns-server none
 vpn-tunnel-protocol ssl-clientless
 default-domain value seguroamericano.com.uy
 webvpn
  url-list value MERCURY
  anyconnect ask none default webvpn

Here are my tunnel groups:

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAP-Clientless
 default-group-policy Clientless_ssl_GrpPolicy


tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
 address-pool VPN_SEGURO_SSL
 authentication-server-group LDAP-BOSCH
 authorization-server-group LDAP-BOSCH
 default-group-policy NOACCESS
tunnel-group VPN_SSL webvpn-attributes
 group-alias SSL disable
 group-alias SSL- disable
 group-alias VPN disable
 group-alias VPN_SSL enable


tunnel-group SSL_Clientless type remote-access
tunnel-group SSL_Clientless general-attributes
 authentication-server-group LDAP-Clientless
 authorization-server-group LDAP-Clientless
 default-group-policy Clientless_ssl_GrpPolicy
 authorization-required
tunnel-group SSL_Clientless webvpn-attributes
 group-alias SSL_Clientless enable
 group-url https://segurobackup.no-ip.org/SeguroAmericano enable

When I change in the tunnel-group "SSL_Clientless" , the default-group-policy from "Clientless_ssl_GrpPolicy" to "NOACCESS_SSLClientless " I cannot log in.

Thanks for your reply.

Regards,

Fabián