could I have a look your

jing zhang · ‎01-25-2015

Hi all,

My currently situation is like this:

I want to allow one group to access,default is block;

but in fact,if i do not apply noaccess to default-group-policy,all users in AD can access;

if i apply noaccess to default-group-policy,all users in AD can not access,via debug ldap 255,i find Account authentication success,

==========================================================

ldap attribute-map abc
map-name memberOf IETF-Radius-Class
map-value memberOf CN=sslgroup,OU=SSLVPN,DC=abcdef,DC=cn sslvpn

==========================================================

aaa-server AD protocol ldap
aaa-server AD (Inside-A) host 192.168.0.23
ldap-base-dn dc=abcdef,dc=cn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator,cn=users,dc=acdef,dc=cn
server-type microsoft
ldap-attribute-map abc

==========================================================

tunnel-group sslvpn general-attributes
authentication-server-group AD
default-group-policy NOACCESS

==========================================================

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

==========================================================

debug ldap 255

[855169] Session Start
[855169] New request Session, context 0xae8c1b0c, reqType = Authentication
[855169] Fiber started
[855169] Creating LDAP context with uri=ldap://192.168.0.23:389
[855169] Connect to LDAP server: ldap://192.168.0.23:389, status = Successful
[855169] supportedLDAPVersion: value = 3
[855169] supportedLDAPVersion: value = 2
[855169] Binding as Administrator
[855169] Performing Simple authentication for Administrator to 192.168.0.23
[855169] LDAP Search:
        Base DN = [dc=BCDEF,dc=cn]
        Filter = [sAMAccountName=test]
        Scope   = [SUBTREE]
[855169] User DN = [CN=test,OU=SSLVPN,DC=abcdef,DC=cn]
[855169] Talking to Active Directory server 192.168.0.23
[855169] Reading password policy for test, dn:CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169] Read bad password count 0
[855169] Binding as test
[855169] Performing Simple authentication for test to 192.168.0.23
[855169] Processing LDAP response for user test
[855169] Message (test):
[855169] Authentication successful for test to 192.168.0.23
[855169] Retrieved User Attributes:
[855169]        objectClass: value = top
[855169]        objectClass: value = person
[855169]        objectClass: value = organizationalPerson
[855169]        objectClass: value = user
[855169]        cn: value = test
[855169]        sn: value = test
[855169]        distinguishedName: value = CN=test,OU=SSLVPN,DC=abcdef,DC=cn
[855169]        instanceType: value = 4
[855169]        whenCreated: value = 20150124015828.0Z
[855169]        whenChanged: value = 20150125151439.0Z
[855169]        displayName: value = test
[855169]        uSNCreated: value = 33195
[855169]        uSNChanged: value = 33454
[855169]        name: value = test
[855169]        objectGUID: value = A.....JI..q....o
[855169]        userAccountControl: value = 66048
[855169]        badPwdCount: value = 0
[855169]        codePage: value = 0
[855169]        countryCode: value = 0
[855169]        badPasswordTime: value = 130666713259896661
[855169]        lastLogoff: value = 0
[855169]        lastLogon: value = 130666714272834597
[855169]        pwdLastSet: value = 130666723870003524
[855169]        primaryGroupID: value = 1117
[855169]        objectSid: value = .............tAgx.xg..@*^...
[855169]        accountExpires: value = 9223372036854775807
[855169]        logonCount: value = 0
[855169]        sAMAccountName: value = test
[855169]        sAMAccountType: value = 805306368
[855169]        userPrincipalName: value = test@abcdef.cn
[855169]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abdef,DC=cn
[855169]        dSCorePropagationData: value = 20150124015828.0Z
[855169]        dSCorePropagationData: value = 16010101000000.0Z
[855169]        lastLogonTimestamp: value = 130665396384085673
[855169] Fiber exit Tx=533 bytes Rx=2453 bytes, status=1
[855169] Session End

Thanks in advance!

jing zhang · ‎01-26-2015

I found the reason !

Fabian del Campo · ‎11-30-2016

Hello Jing:

I have the same problem.....can you please help me?

Thanks in advance,

Fabián

jing zhang · ‎11-30-2016

could I have a look your relevant configuration of the device ?

Fabian del Campo · ‎12-01-2016

Of course. I have two vpn access, one with anyconnect client (works fine) and the ssl clientless access.

Here are the config:

###### I use this for Anyconnect access #########

aaa-server LDAP-BOSCH protocol ldap
aaa-server LDAP-BOSCH (inside) host 192.168.3.208
ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
ldap-scope subtree
ldap-naming-attribute sn
ldap-login-password *****
ldap-login-dn cn=ldapadmin,dc=calculate
server-type auto-detect
ldap-attribute-map ASAMap

#########I use this for ssl clientless access #############

aaa-server LDAP-Clientless protocol ldap
aaa-server LDAP-Clientless (inside) host 192.168.3.208
ldap-base-dn ou=Users,ou=Unix,ou=Services,dc=calculate
ldap-group-base-dn ou=Groups,ou=Samba,ou=Services,dc=calculate
ldap-scope subtree
ldap-naming-attribute sn
ldap-login-password *****
ldap-login-dn cn=ldapadmin,dc=calculate
server-type microsoft
ldap-attribute-map ASAMap_Clientless

Here are the ldap-attribute-map:

ldap attribute-map ASAMap
map-name audio IETF-Radius-Class
map-value audio VPN GroupPolicy_VPN_SSL

ldap attribute-map ASAMap_Clientless
map-name audio IETF-Radius-Class
map-value audio VPN Clientless_ssl_GrpPolicy

I define this two Group Policy:

group-policy NOACCESS internal
group-policy NOACCESS attributes
wins-server none
dns-server value 192.168.3.254
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-lock none
default-domain value seguroamericano.com.uy

group-policy NOACCESS_SSLClientless internal
group-policy NOACCESS_SSLClientless attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-clientless
group-lock none

group-policy GroupPolicy_VPN_SSL internal
group-policy GroupPolicy_VPN_SSL attributes
wins-server none
dns-server value 192.168.3.254
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SEGURO_splitTunnelAcl
default-domain value seguroamericano.com.uy

group-policy Clientless_ssl_GrpPolicy internal
group-policy Clientless_ssl_GrpPolicy attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-clientless
default-domain value seguroamericano.com.uy
webvpn
url-list value MERCURY
anyconnect ask none default webvpn

Here are my tunnel groups:

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP-Clientless
default-group-policy Clientless_ssl_GrpPolicy

tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
address-pool VPN_SEGURO_SSL
authentication-server-group LDAP-BOSCH
authorization-server-group LDAP-BOSCH
default-group-policy NOACCESS
tunnel-group VPN_SSL webvpn-attributes
group-alias SSL disable
group-alias SSL- disable
group-alias VPN disable
group-alias VPN_SSL enable

tunnel-group SSL_Clientless type remote-access
tunnel-group SSL_Clientless general-attributes
authentication-server-group LDAP-Clientless
authorization-server-group LDAP-Clientless
default-group-policy Clientless_ssl_GrpPolicy
authorization-required
tunnel-group SSL_Clientless webvpn-attributes
group-alias SSL_Clientless enable
group-url https://segurobackup.no-ip.org/SeguroAmericano enable

When I change in the tunnel-group "SSL_Clientless" , the default-group-policy from "Clientless_ssl_GrpPolicy" to "NOACCESS_SSLClientless " I cannot log in.

Thanks for your reply.

Regards,

Fabián

Clientless SSL VPN - LDAP Authentication ,Only allow one group to access