Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
13
Replies

Clientless VPN profiles by LDAP Group

Dylan Syme
Level 1
Level 1

‎10-04-2012 08:28 AM

Hi,

I'm attempting to configure what I think should be quite simple: Clientless SSLVPN using AD authentication, where the user's group membership determines what group policy they are assigned.

LDAP attribute maps are all set-up ok and can see successful mappings in debug ldap 255.

Referring to a few online how-to's I've attempted to configure a single connection profile and use a 'NoAccess' group policy as the Default Group Policy.  Users are unable to login under this configuration.

If I associate the actual group policy with the connection profile, users are able to login, only if I configure an alias so that the user selects the profile from drop-down list.  But I don't want the user selecting his own profile, the ASA should select it based on the LDAP memberOf tag.

Here are the relevant bits of config:

ldap attribute-map memberOf

  map-name  memberOf Group-Policy

  map-value memberOf "CN=FullAccess,OU=Remote Users,DC=test,DC=external" FullAccess

  map-value memberOf "CN=LimitedAccess,OU=Remote Users,DC=test,DC=external" LimitedAccess

group-policy NoAccess internal

group-policy NoAccess attributes

banner value No!

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-clientless

group-policy FullAccess internal

group-policy FullAccess attributes

banner value Full Access

webvpn

  url-list value FullURLs 

group-policy LimitedAccess internal

group-policy LimitedAccess attributes

banner value Limited Access

webvpn

  url-list value LimitedBBC

tunnel-group XXXFullAccess type remote-access

tunnel-group XXXFullAccess general-attributes

authentication-server-group TEST-AD

default-group-policy NoAccess

tunnel-group XXXLimitedAccess type remote-access

tunnel-group XXXLimitedAccess general-attributes

authentication-server-group TEST-AD

default-group-policy NoAccess

Using the above config users cannot login "Login Failed" message.  The ASA does NOT attempt to authenticate the user to the LDAP server (per debug ldap 255)

If I reconfigure the tunnel-groups as follows I am able to select the profile from drop-down list and login:

tunnel-group XXXFullAccess type remote-access

tunnel-group XXXFullAccess general-attributes

authentication-server-group TEST-AD

default-group-policy FullAccess

tunnel-group XXXFullAccess webvpn-attributes

group-alias Full enable

tunnel-group XXXLimitedAccess type remote-access

tunnel-group XXXLimitedAccess general-attributes

authentication-server-group TEST-AD

default-group-policy LimitedAccess

tunnel-group ThalesLimitedAccess webvpn-attributes

group-alias Limited enable

Conceptually I want to be able to configure two or more group policies under the tunnel group (aka connection profile), and have the ASA select the correct one based on LDAP memberOf.  But it does not seem possible to do this.

This is ASA8.4(3).

Any ideas?  Thanks in advance.

Labels:
0 Helpful
13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-04-2012 11:48 PM

Can you pls share your full config.

You can definitely just use one tunnel-group and have the LDAP attribute map maps the corresponding user's group policy.

Also, map-name should be "map-name memberOf IETF-Radius-Class", instead of "map-name  memberOf Group-Policy"

0 Helpful

Dylan Syme
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 01:53 AM

******

:

ASA Version 8.4(3)

!

hostname WGS-LAB-ASA

domain-name test.psn

enable password boo! encrypted

passwd boo! encrypted

names

!

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address 10.200.200.180 255.255.255.0

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 10.192.24.105 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup INSIDE

dns server-group DefaultDNS

name-server 10.192.24.110

domain-name thisisa.test

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu management 1500

ip local pool WGS-TEST-POOL 10.192.24.199-10.192.24.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map Group Membership

  map-name  memberOf Group-Policy

ldap attribute-map memberOf

  map-name  memberOf Group-Policy

  map-value memberOf "CN=FullAccess,OU=Remote Users,DC=test,DC=external" FullAccess

  map-value memberOf "CN=LimitedAccess,OU=Remote Users,DC=test,DC=external" LimitedAccess

dynamic-access-policy-record DfltAccessPolicy

aaa-server WGS-REM-AD protocol ldap

aaa-server WGS-REM-AD (INSIDE) host 10.192.24.100

ldap-base-dn dc=test, dc=external

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=xxx,OU=AD Builtin,DC=test,DC=external

server-type microsoft

ldap-attribute-map memberOf

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 8443

http server idle-timeout 30

http 10.200.200.0 255.255.255.0 OUTSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=WGS-LAB-ASA

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate f3e46b50

xxx

  quit

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh 10.200.200.0 255.255.255.0 OUTSIDE

ssh timeout 30

console timeout 0

management-access OUTSIDE

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint0 OUTSIDE

webvpn

enable OUTSIDE

tunnel-group-list enable

group-policy NoAccess internal

group-policy NoAccess attributes

banner value No!

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-clientless

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-policy FullAccess internal

group-policy FullAccess attributes

banner value WGS Full Access

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value FullURLs

group-policy LimitedAccess internal

group-policy LimitedAccess attributes

banner value WGS Limited Access

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value LimitedBBC

username test password xxx encrypted

username admin password xxx encrypted privilege 15

tunnel-group TestFullAccess type remote-access

tunnel-group TestFullAccess general-attributes

authentication-server-group WGS-REM-AD

default-group-policy FullAccess

tunnel-group TestFullAccess webvpn-attributes

group-alias Full enable

tunnel-group TestLimitedAccess type remote-access

tunnel-group TestLimitedAccess general-attributes

authentication-server-group WGS-REM-AD

default-group-policy LimitedAccess

tunnel-group TestLimitedAccess webvpn-attributes

group-alias Limited enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:xxx

: end

******

If I modify the tunnel-groups with:

default-group-policy NoAccess

The user is unable to login

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dylan Syme

‎10-05-2012 02:50 AM

Ok thanks for the update.

Here is the changes needed:

ldap attribute-map memberOf

  no map-name  memberOf Group-Policy

  map-name memberOf IETF-Radius-Class

webvpn

  no tunnel-group-list enable

Remove one of the tunnel-group as you meant to only have 1 tunnel-group with LDAP attribute mapping.

0 Helpful

Dylan Syme
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 05:10 AM

Thanks but no joy.

Updated config:

*******

:

ASA Version 8.4(3)

!

hostname WGS-LAB-ASA

domain-name blah

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address 10.200.200.180 255.255.255.0

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 10.192.24.105 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup INSIDE

dns server-group DefaultDNS

name-server 10.192.24.110

domain-name xxx

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu management 1500

ip local pool WGS-TEST-POOL 10.192.24.199-10.192.24.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map Group Membership

  map-name  memberOf Group-Policy

ldap attribute-map memberOf

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=FullAccess,OU=Remote Users,DC=test,DC=external" FullAccess

  map-value memberOf "CN=LimitedAccess,OU=Remote Users,DC=test,DC=external" LimitedAccess

dynamic-access-policy-record DfltAccessPolicy

aaa-server WGS-REM-AD protocol ldap

aaa-server WGS-REM-AD (INSIDE) host 10.192.24.100

ldap-base-dn dc=test, dc=external

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=xxx,OU=Builtin,DC=test,DC=external

server-type microsoft

ldap-attribute-map memberOf

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 8443

http server idle-timeout 30

http 192.168.1.0 255.255.255.0 management

http 10.200.200.0 255.255.255.0 OUTSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=WGS-LAB-ASA

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate f3e46b50

    3082035b 30820243 a0030201 020204f3 e46b5030 0d06092a 864886f7 0d010105

    0500303d 31143012 06035504 03130b57 47532d4c 41422d41 53413125 30230609

    2a864886 f70d0109 02161657 47532d4c 41422d41 53412e74 68616c65 732e7073

    6e301e17 0d313231 30303430 31313333 355a170d 32323130 30323031 31333335

    5a303d31 14301206 03550403 130b5747 532d4c41 422d4153 41312530 2306092a

    864886f7 0d010902 16165747 532d4c41 422d4153 412e7468 616c6573 2e70736e

    30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101

    009fa6c9 eebb2a0b 1478a0b3 27467add 689d78ac 2962b9ee 34dea1a8 35da9b09

    e9724a10 158e3e47 fe33e524 14c08f91 782b93f0 f0d7af1c d16fd285 5514580f

    6ab1373e 35cc455a 902a4c34 943a98ee 323ff076 16a5ec28 c7693aac ba57c67a

    74dfb2a9 3d5c2642 b3edcfe4 f373789a f33110d7 5c26785c b0af989f 738d6807

    91e1f029 e42372f2 88da4b14 343facfa 3f0ec199 f190014b 1748a181 7a8b0f1a

    3cc2c686 7745bb79 3546f664 082362b1 d2b767a9 b7c08c77 262a4047 97bbb022

    bf550a90 9837b2c8 26a6a791 1f1bf034 6627f867 17875b64 6adda38f 18efe1f4

    ee9727fd 967f0d7b 7e5c2701 a884b6f7 361d6d3a 99371616 5c48d347 b1bfdbca

    dd020301 0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355

    1d0f0101 ff040403 02018630 1f060355 1d230418 30168014 e632aa41 2df25fae

    2d85c2a7 1f44bdd1 b5d86f92 301d0603 551d0e04 160414e6 32aa412d f25fae2d

    85c2a71f 44bdd1b5 d86f9230 0d06092a 864886f7 0d010105 05000382 01010066

    f1a8a357 7fb7bd5b a01faac2 270c40f6 98b51f97 b79ddddf a4f64356 1d0a2d96

    f0660ccb 7eb8767c 45df29cf 109aa1cc d6eb296f e36e1d6d cdf7ca09 3e3b8354

    8ab7e9ff eddcea1c 8e792aaa 05da15d6 01200589 50fce203 45fa7460 1947f8ed

    741c41ef a3b40a39 96791b6f 22de27b0 04e83920 469a1b3b 7bafe0a5 d4ee282e

    98f02d47 34517388 7b694282 6b6ddf50 c40fefd3 668bfa23 0de6703e 8ae01e86

    fc710c0b 5c59f5a6 99e993cd 7753f437 0fd97dfe 03510ee6 d8e90f14 93265d5f

    816c97ff 009601de 7a520fa8 a57208d3 fc5d961e ad6bc00d e5b9219e db400012

    2e84c795 042ecbfd fbd956ba 388f91f4 1a152fdb 993d11a2 fe552f9b d335fe

  quit

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh 10.200.200.0 255.255.255.0 OUTSIDE

ssh timeout 30

console timeout 0

management-access OUTSIDE

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint0 OUTSIDE

webvpn

enable OUTSIDE

group-policy NoAccess internal

group-policy NoAccess attributes

banner value No!

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-clientless

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-policy FullAccess internal

group-policy FullAccess attributes

banner value This is Full Access

group-policy LimitedAccess internal

group-policy LimitedAccess attributes

banner value This is Limited Access

username test password xxx encrypted

username test_limited password xxx encrypted

username admin password xxx encrypted privilege 15

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

authentication-server-group WGS-REM-AD

default-group-policy NoAccess

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

*******

User attempts to login and the ASA does not attempt to talk to AD.

According to the ASDM (which I normally avoid, but is convenient for this type of config), the IETF-Radius-Class attribute has been superceded by Group-Policy.

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dylan Syme

‎10-05-2012 05:20 AM

You don't have group-policy configured on your latest configurations.

Since your ldap attribute map has the following two mapping:

FullAccess

LimitedAccess

You would need to configure group-policy with the above 2 names as ldap will map it to the specific group-policy

0 Helpful

Dylan Syme
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 05:48 AM

Sorry about that - find-and-replace error.

Correct config updated above, same result.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dylan Syme

‎10-05-2012 05:54 AM

Can you also add the protocol to be used:

group-policy FullAccess attributes

   vpn-tunnel-protocol ssl-clientless

group-policy LimitedAccess attributes

   vpn-tunnel-protocol ssl-clientless

Then pls try to connect using clientless ssl vpn and run "debug ldap 255" and pls share the output.

0 Helpful

Dylan Syme
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 06:00 AM

Thanks, I've added that and there is no output from the LDAP debug - the ASA is not bothering to communicate with the AD server (in the below I'm attempting login after enabling the debug).

WGS-LAB-ASA# debug ldap 255

debug ldap  enabled at level 255

WGS-LAB-ASA#

If I change the default-group-policy attribute to LimitedAccess or FullAccess, the LDAP communication happens and the user is authenticated.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dylan Syme

‎10-05-2012 06:06 AM

OK, if you change the default-group-policy to LimitedAccess or FullAccess, is the LDAP mapping working correctly?

For example:

If you change it to LimitedAccess, but you actually try to login using the FullAccess user account, does it get map correctly to the FullAccess group-policy?

0 Helpful

Dylan Syme
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 06:12 AM

Yep - Whatever policy I assign to the tunnel-group gets applied regardless of what user I login as.

I can see the ASA doing the LDAP query and getting the mapping:

[122]   memberOf: value = CN=FullAccess,OU=Remote Users,DC=test,DC=external

[122]           mapped to IETF-Radius-Class: value = FullAccess

[122]           mapped to LDAP-Class: value = FullAccess

But it seems the ASA is not paying any attention to this when it applies the group-policy,

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dylan Syme

‎10-05-2012 06:23 AM

Just going to ask you to test something stupid, ie: changing the name of the ldap attribute map from memberOf, to something else.

ldap attribute-map LDAPMAPforSSL

  map-name  memberOf Group-Policy

  map-value memberOf "CN=FullAccess,OU=Remote Users,DC=test,DC=external" FullAccess

  map-value memberOf "CN=LimitedAccess,OU=Remote Users,DC=test,DC=external" LimitedAccess

aaa-server WGS-REM-AD (INSIDE) host 10.192.24.100

    ldap-attribute-map LDAPMAPforSSL

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎10-05-2012 06:31 AM

Plus also add the following:

group-policy DfltGrpPolicy attributes

   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Dylan Syme

‎10-05-2012 05:50 AM

Hi Dylan,

Just to add my two cents, here is a good link:

ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example

HTH.

Portu.

Please rate any helpful posts

0 Helpful
Customers Also Viewed These Support Documents