I am using ASA with firepower service (9.6 version), And I want to restrict users of particular LDAP group to login only to particular VPN group policy not to other policy.
Right now I have configured tunnel-group with LDAP login , But contains all the users of domain.
How can achieve the desired configuration ?
PLease find below my current configuration for LDAP,
tunnel-group Anyconnect_LDAP type remote-access
tunnel-group Anyconnect_LDAP general-attributes
address-pool Anyconnect_LDAP_pool
authentication-server-group LDAP
default-group-policy Anyconnect_LDAP
tunnel-group Anyconnect_LDAP webvpn-attributes
group-alias Anyconnect_LDAP enable
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.x.x
ldap-base-dn dc=XX,dc=YY
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=ASA admin,OU=users,DC=XX,DC=YY
server-type microsoft
You can use ldap attribute-map.
HI Bogdan,
Thank you for the response, But can you please share configuration example because I am new to ASA and AD also.
If I have xx-user user from xx-ldap-grp LDAP group and it can only login to particuar group-policy xx-grp-policy.
It looks like you already defined the ldap server, so you will need to define the ldap-map.
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=xx-ldap-grp LDAP,OU=users,DC=XX,DC=YY xx-grp-policy
When defining the AD group you need to use the Distinguished Name, dsquery can be used for that.
For instance 'dsquery group DC=XX,DC=YY' will show all groups in the domain DC=XX,DC=YY, and then display their distinguished names.
Then you need to apply the ldap-map to the AAA server group:
aaa-server LDAP (inside) host x.x.x.x
ldap-attribute-map LDAP-MAP
In order to prevent users to connect to the wrong group-policy and gain unauthorized access you can configure a noaccess group-policy and assign it as default in the tunnel-group.
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
tunnel-group Anyconnect_LDAP general-attributes
default-group-policy NOACCESS
dsquery is a tool that can help you retrieve the group distinguished name you need to configure in the ldap attribute-map
https://technet.microsoft.com/en-us/library/cc732952(v=ws.11).aspx
You have to configure a DAP (only possible through ASDM).
Basicaly you will need to create two conditions on DAP:
1) Member of group X
2) VPN Group y
Action = Permit
Have a look here:
Thanks for the response Andre!!
Can you give me an example of the same!
See the image:
But in your case you will use LDAP attribute (memberOf), and will have to set "User has ALL of the following AAA Attributes...".