Solved: Dynamic Access Policies Troubles

namegoeshere · ‎12-07-2010

I have a ASA 5510 and I am trying to implement Dynamic Access Policies (DAP) for SSL VPN remote access control.

I have created several policies for specific vendors/users and am having a hard time enforcing them. Specifically, the Selection Criteria is simply an AD Security Group and a Network ACL Filter.

What's weird is that when I had the Selection Criteria under the AAA Attribute Type: Cisco and used the specific AD username, the policy was enforced correctly.

When trying to use security groups and LDAP, it's a no go. LDAP does pass when tested under AAA Server Groups and it also queries and successfully brings up all the groups within AD when selecting criteria under the DAP Selection Criteria.

Any thoughts? Am I supposed to have a separate AnyConnect Connection Profile for each DAP?

Thanks,

Herbert Baerten · ‎12-08-2010

Right. The debugs also show that the user was authenticated using Radius, not LDAP.

So you will either have to change your authentication method to LDAP, or change your DAP policies to use Radius attributes instead of LDAP attributes.

hth

Herbert

View solution in original post

rahgovin · ‎12-08-2010

What does the radius attribute 25 give you in the debug radius? Can you use that to match dap policies?

View solution in original post

Herbert Baerten · ‎12-08-2010

Hi Name,

start by checking "debug ldap 255" and "debug dap trace" output - this will show which LDAP (and other) attributes DAP received about the user, and which policy (or policies) it selects based on that.

hth

Herbert

namegoeshere · ‎12-08-2010

Herbert,

Thanks for the suggestion. Here is the output of the debug commands.

debug ldap 255 -> debug ldap enabled at level 255

debug dap trace -> debug dap trace enabled at level 1

Herbert Baerten · ‎12-08-2010

Sorry for not being entirely clear, what I meant was, enable these 2 debug commands, then attempt to connect from a client. On your console session you should see lots of data flying by now. Note that this may include some sensitive information so please review (and if needed, edit) it before posting it here.

Herbert

Herbert Baerten · ‎12-08-2010

Oh, and afterwards, use "undebug all" to disable the debugs again.

namegoeshere · ‎12-08-2010

Herbert -- My apologies.

It looks as if it is falling to the default access policy instead of the one designated for this user.

Here is the sanitized output:

DAP_TRACE: Username: testname, aaa.radius["4121"]["1"] = testgroup
DAP_TRACE: Username: testname, aaa.radius["7"]["1"] = 1
DAP_TRACE: Username: testname, aaa.radius["6"]["1"] = 2
DAP_TRACE: Username: testname, aaa.radius["25"]["1"] = T..I
DAP_TRACE: Username: testname, aaa.cisco.grouppolicy = testgroup
DAP_TRACE: Username: testname, aaa.cisco.username = testname
DAP_TRACE: Username: testname, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testgroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testgroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testname"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testname"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testname, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testname, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testname, Selected DAPs: DfltAccessPolicy
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testgroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testgroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testname"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testname"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testname, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testname, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testname, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: testname, DAP_close: AE557898

Herbert Baerten · ‎12-08-2010

Right. The debugs also show that the user was authenticated using Radius, not LDAP.

So you will either have to change your authentication method to LDAP, or change your DAP policies to use Radius attributes instead of LDAP attributes.

hth

Herbert

namegoeshere · ‎12-08-2010

Wow, thanks. One of those "duh" moments.

I changed the DAP Selection Criteria to the RADIUS Attribute ID 4242 and a value of . It's still not enforcing the DAP. Thanks again for your help.

Here is the debug output:

DAP_TRACE: Username: testuser, aaa.radius["4121"]["1"] = testvpngroup
DAP_TRACE: Username: testuser, aaa.radius["7"]["1"] = 1
DAP_TRACE: Username: testuser, aaa.radius["6"]["1"] = 2
DAP_TRACE: Username: testuser, aaa.radius["25"]["1"] = U
DAP_TRACE: Username: testuser, aaa.cisco.grouppolicy = testvpngroup
DAP_TRACE: Username: testuser, aaa.cisco.username = testuser
DAP_TRACE: Username: testuser, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testvpngroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"]="U"
DAP_TRACE: name = aaa.radius["25"]["1"], value = "U"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testvpngroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testuser"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testuser"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testuser, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testuser, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testuser, Selected DAPs: DfltAccessPolicy
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testvpngroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"]="U"
DAP_TRACE: name = aaa.radius["25"]["1"], value = "U"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testvpngroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testuser"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testuser"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testuser, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testuser, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testuser, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: testuser, DAP_close: AE5B7AC8

rahgovin · ‎12-08-2010

I guess it should be ID 4121(4096+25) from what I see in the debugs.

DAP_TRACE: Username: testuser, aaa.radius["4121"]["1"] = testvpngroup

Run a debug radius all just to make sure what is the security group that is pushed.

Herbert Baerten · ‎12-08-2010

Well, it seems like DAP does not now about attribute 4242 - check the first few lines of the debugs which show what attributes it knows about.

Did you mean 4121 maybe?

If it's really 4242, please check "debug radius" to see if the radius server is actually sending that attribute.

hth

Herbert

namegoeshere · ‎12-08-2010

Hmmm. The "testvpngroup" below is representative of a Cisco Group Policies, not the Active Directory security Group.

In doing the RADIUS debug, I did see the 4242 value get passed. I got the 4242 value from the ASA help that stated it was the "Member Of" (4096 + 146).

rahgovin · ‎12-08-2010

What does the radius attribute 25 give you in the debug radius? Can you use that to match dap policies?

namegoeshere · ‎12-08-2010

Rahul,

You hit the nail on the head. I had to change the attribute to 25 and then ALSO create a corresponding attribute on the RADIUS server. That attribute was the Class attribute with the Security Group being it's value.

Thank you all for your help.

One last question. Now that the DAPs are being enforced, I am running into a problem with a person being a member of two different AD Security Groups. How do I address that with the DAP since the person will need the access granted by two different DAPs?

Thanks!!!

rahgovin · ‎12-08-2010

If a user is hitting multiple daps, the end policy will be an aggregation of the all the dap policies based on certain rules. The best guide for that is here:

https://supportforums.cisco.com/docs/DOC-1369

But what you can also do its to create a DAP policy for a user who has to match two groups. That can be configured in the DAP AAA criterion section, where you can make a policy which matches two attributes( 2 security groups in ur case) and enforce actions that way.