12-07-2010 05:39 PM
I have a ASA 5510 and I am trying to implement Dynamic Access Policies (DAP) for SSL VPN remote access control.
I have created several policies for specific vendors/users and am having a hard time enforcing them. Specifically, the Selection Criteria is simply an AD Security Group and a Network ACL Filter.
What's weird is that when I had the Selection Criteria under the AAA Attribute Type: Cisco and used the specific AD username, the policy was enforced correctly.
When trying to use security groups and LDAP, it's a no go. LDAP does pass when tested under AAA Server Groups and it also queries and successfully brings up all the groups within AD when selecting criteria under the DAP Selection Criteria.
Any thoughts? Am I supposed to have a separate AnyConnect Connection Profile for each DAP?
Thanks,
Solved! Go to Solution.
12-08-2010 06:52 AM
Right. The debugs also show that the user was authenticated using Radius, not LDAP.
So you will either have to change your authentication method to LDAP, or change your DAP policies to use Radius attributes instead of LDAP attributes.
hth
Herbert
12-08-2010 11:49 AM
What does the radius attribute 25 give you in the debug radius? Can you use that to match dap policies?
12-08-2010 02:42 AM
Hi Name,
start by checking "debug ldap 255" and "debug dap trace" output - this will show which LDAP (and other) attributes DAP received about the user, and which policy (or policies) it selects based on that.
hth
Herbert
12-08-2010 05:55 AM
Herbert,
Thanks for the suggestion. Here is the output of the debug commands.
debug ldap 255 -> debug ldap enabled at level 255
debug dap trace -> debug dap trace enabled at level 1
12-08-2010 06:13 AM
Sorry for not being entirely clear, what I meant was, enable these 2 debug commands, then attempt to connect from a client. On your console session you should see lots of data flying by now. Note that this may include some sensitive information so please review (and if needed, edit) it before posting it here.
Herbert
12-08-2010 06:14 AM
Oh, and afterwards, use "undebug all" to disable the debugs again.
12-08-2010 06:29 AM
Herbert -- My apologies.
It looks as if it is falling to the default access policy instead of the one designated for this user.
Here is the sanitized output:
DAP_TRACE: Username: testname, aaa.radius["4121"]["1"] = testgroup
DAP_TRACE: Username: testname, aaa.radius["7"]["1"] = 1
DAP_TRACE: Username: testname, aaa.radius["6"]["1"] = 2
DAP_TRACE: Username: testname, aaa.radius["25"]["1"] = T..I
DAP_TRACE: Username: testname, aaa.cisco.grouppolicy = testgroup
DAP_TRACE: Username: testname, aaa.cisco.username = testname
DAP_TRACE: Username: testname, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testgroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testgroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testname"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testname"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testname, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testname, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testname, Selected DAPs: DfltAccessPolicy
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testgroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testgroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testgroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testname"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testname"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testname, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testname, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testname, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: testname, DAP_close: AE557898
12-08-2010 06:52 AM
Right. The debugs also show that the user was authenticated using Radius, not LDAP.
So you will either have to change your authentication method to LDAP, or change your DAP policies to use Radius attributes instead of LDAP attributes.
hth
Herbert
12-08-2010 07:48 AM
Wow, thanks. One of those "duh" moments.
I changed the DAP Selection Criteria to the RADIUS Attribute ID 4242 and a value of
Here is the debug output:
DAP_TRACE: Username: testuser, aaa.radius["4121"]["1"] = testvpngroup
DAP_TRACE: Username: testuser, aaa.radius["7"]["1"] = 1
DAP_TRACE: Username: testuser, aaa.radius["6"]["1"] = 2
DAP_TRACE: Username: testuser, aaa.radius["25"]["1"] = U
DAP_TRACE: Username: testuser, aaa.cisco.grouppolicy = testvpngroup
DAP_TRACE: Username: testuser, aaa.cisco.username = testuser
DAP_TRACE: Username: testuser, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testvpngroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"]="U"
DAP_TRACE: name = aaa.radius["25"]["1"], value = "U"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testvpngroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testuser"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testuser"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testuser, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testuser, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testuser, Selected DAPs: DfltAccessPolicy
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["4121"]["1"]="testvpngroup"
DAP_TRACE: name = aaa.radius["4121"]["1"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"]="U"
DAP_TRACE: name = aaa.radius["25"]["1"], value = "U"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="testvpngroup"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "testvpngroup"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testuser"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testuser"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: Username: testuser, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testuser, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testuser, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: testuser, DAP_close: AE5B7AC8
12-08-2010 08:05 AM
I guess it should be ID 4121(4096+25) from what I see in the debugs.
DAP_TRACE: Username: testuser, aaa.radius["4121"]["1"] = testvpngroup
Run a debug radius all just to make sure what is the security group that is pushed.
12-08-2010 08:07 AM
Well, it seems like DAP does not now about attribute 4242 - check the first few lines of the debugs which show what attributes it knows about.
Did you mean 4121 maybe?
If it's really 4242, please check "debug radius" to see if the radius server is actually sending that attribute.
hth
Herbert
12-08-2010 09:44 AM
Hmmm. The "testvpngroup" below is representative of a Cisco Group Policies, not the Active Directory security Group.
In doing the RADIUS debug, I did see the 4242 value get passed. I got the 4242 value from the ASA help that stated it was the "Member Of" (4096 + 146).
12-08-2010 11:49 AM
What does the radius attribute 25 give you in the debug radius? Can you use that to match dap policies?
12-08-2010 01:01 PM
Rahul,
You hit the nail on the head. I had to change the attribute to 25 and then ALSO create a corresponding attribute on the RADIUS server. That attribute was the Class attribute with the Security Group being it's value.
Thank you all for your help.
One last question. Now that the DAPs are being enforced, I am running into a problem with a person being a member of two different AD Security Groups. How do I address that with the DAP since the person will need the access granted by two different DAPs?
Thanks!!!
12-08-2010 01:13 PM
If a user is hitting multiple daps, the end policy will be an aggregation of the all the dap policies based on certain rules. The best guide for that is here:
https://supportforums.cisco.com/docs/DOC-1369
But what you can also do its to create a DAP policy for a user who has to match two groups. That can be configured in the DAP AAA criterion section, where you can make a policy which matches two attributes( 2 security groups in ur case) and enforce actions that way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide