09-11-2024 12:08 AM
Hi to all, I configured RA VPN on FMC to 2 different access groups first is VPN for Users and the second one is for Administrators, I configured LDAP attribute mapping from manuals, but it is not working, I have two groups in my Active Directory VPN for Users and VPN for Administrators but it seems that FMC not checking group membership at all, I can connect to both access groups even if I am not member any groups.
Disturgished Name is directly copied from Active Directory
Solved! Go to Solution.
09-11-2024 03:50 AM
@sherali mamatkarimov you only need one connection profile all users connect to, it's the LDAP mapping that will assign the users to the different group policies.
09-11-2024 03:56 AM
Friend cisco make it complex let me explain
the anyconnect can connect to ftd using one connection profile (tunnel-group in asa) and then using ldap map to map esch user to it group-policy
OR
Using multi connection profile (using group url alias) and hence each connection profile have it defualt group policy' no need ldap mapping here.
Note:- Second case need gorup-lock
MHM
09-11-2024 12:31 AM
Share below
Debug ldap 255
Show running
MHM
09-11-2024 01:57 AM
09-11-2024 02:10 AM
Make defualt group policy NoAccess instead of using VPN-for-admin
default-group-policy VPN_for_Admininstrators
And double check the ldap memberOf for each user
Note:-one user can not be in two different group
MHM
09-11-2024 02:33 AM
how to make default group policy from Web?
09-11-2024 02:38 AM
09-11-2024 02:37 AM
@sherali mamatkarimov you are connecting to the tunnel-group/connection profile "VPN_for_Users". That has the default group policy of "VPN_for_Users" which allows VPN connections (vpn-simultaneous-logins 3)
tunnel-group VPN_for_Users general-attributes
address-pool Remote_VPN_Pool
authentication-server-group AD-mda_new
default-group-policy VPN_for_Users
You need to set the NoAccess policy (via the FMC) which does not permit any vpn user connections (vpn-simultaneous-logins 0) as the default group policy, then when a user connects that is not a member of either group they will be denied access.
So the configuration should look like this:-
tunnel-group VPN_for_Users general-attributes
default-group-policy NoAccess
09-11-2024 03:27 AM
I undestand but how to set default group policy by FMC web?
09-11-2024 03:31 AM - edited 09-11-2024 03:34 AM
@sherali mamatkarimov edit the Connection Profile the users connect to and specify the group policy as "NoAccess".
Example:
09-11-2024 03:46 AM
But I have 3 Connection Profiles how I can choose one of them as default?
09-11-2024 03:50 AM
@sherali mamatkarimov you only need one connection profile all users connect to, it's the LDAP mapping that will assign the users to the different group policies.
09-11-2024 03:56 AM
Friend cisco make it complex let me explain
the anyconnect can connect to ftd using one connection profile (tunnel-group in asa) and then using ldap map to map esch user to it group-policy
OR
Using multi connection profile (using group url alias) and hence each connection profile have it defualt group policy' no need ldap mapping here.
Note:- Second case need gorup-lock
MHM
09-11-2024 03:38 AM
VPN-remote access > connection profile(select profile) >advanced >group-policy >edit>select NoAccess
MHM
09-11-2024 04:38 AM
@Rob Ingram @MHM Cisco World I deleted other connection profiles except no access now it seems working thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide