cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2785
Views
5
Helpful
8
Replies
chintan0111
Beginner

How to restrict users of LDAP group to login to only particular VPN Group policy?

I am using ASA with firepower service (9.6 version), And I want to restrict users of particular LDAP group to login only to particular VPN group policy not to other policy.

Right now I have configured tunnel-group with LDAP login , But contains all the users of domain.

 

How can achieve the desired configuration ?

PLease find below my current configuration for LDAP,

 

tunnel-group Anyconnect_LDAP type remote-access
tunnel-group Anyconnect_LDAP general-attributes
address-pool Anyconnect_LDAP_pool
authentication-server-group LDAP
default-group-policy Anyconnect_LDAP
tunnel-group Anyconnect_LDAP webvpn-attributes
group-alias Anyconnect_LDAP enable

 

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.x.x
ldap-base-dn dc=XX,dc=YY
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=ASA admin,OU=users,DC=XX,DC=YY
server-type microsoft

8 REPLIES 8
Bogdan Nita
Rising star

HI Bogdan,

 

Thank you for the response, But can you please share configuration example because I am new to ASA and AD also.

If I have xx-user user from xx-ldap-grp LDAP group and it can only login to particuar group-policy xx-grp-policy.

 

 

 

 

 

 

It looks like you already defined the ldap server, so you will need to define the ldap-map.

ldap attribute-map LDAP-MAP
 map-name memberOf IETF-Radius-Class
 map-value memberOf CN=xx-ldap-grp LDAP,OU=users,DC=XX,DC=YY xx-grp-policy

When defining the AD group you need to use the Distinguished Name, dsquery can be used for that.
For instance 'dsquery group DC=XX,DC=YY' will show all groups in the domain DC=XX,DC=YY, and then display their distinguished names.
Then you need to apply the ldap-map to the AAA server group:

aaa-server LDAP (inside) host x.x.x.x
 ldap-attribute-map LDAP-MAP

In order to prevent users to connect to the wrong group-policy and gain unauthorized access you can configure a noaccess group-policy and assign it as default in the tunnel-group.
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
tunnel-group Anyconnect_LDAP general-attributes
default-group-policy NOACCESS

HI Bogdan,
once again thanks for the reply,

So for AD i need to create dsquery group? simple LDAP group will not work? Is this dsquery is something i need to use? Wht is dsquery

dsquery is a tool that can help you retrieve the group distinguished name you need to configure in the ldap attribute-map

https://technet.microsoft.com/en-us/library/cc732952(v=ws.11).aspx

andre.ortega
Enthusiast

You have to configure a DAP (only possible through ASDM).
Basicaly you will need to create two conditions on DAP:
1) Member of group X
2) VPN Group y
Action = Permit
Have a look here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

 

Thanks for the response Andre!!

 

Can you give me an example of the same!

See the image:

But in your case you will use LDAP attribute (memberOf), and will have to set "User has ALL of the following AAA Attributes...".

 

DAP.PNG

Create
Recognize Your Peers
Content for Community-Ad