Re: How to restrict users of LDAP group to login to only particular VPN Group policy?

chintan0111 · ‎12-12-2017

I am using ASA with firepower service (9.6 version), And I want to restrict users of particular LDAP group to login only to particular VPN group policy not to other policy.

Right now I have configured tunnel-group with LDAP login , But contains all the users of domain.

How can achieve the desired configuration ?

PLease find below my current configuration for LDAP,

tunnel-group Anyconnect_LDAP type remote-access
tunnel-group Anyconnect_LDAP general-attributes
address-pool Anyconnect_LDAP_pool
authentication-server-group LDAP
default-group-policy Anyconnect_LDAP
tunnel-group Anyconnect_LDAP webvpn-attributes
group-alias Anyconnect_LDAP enable

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.x.x
ldap-base-dn dc=XX,dc=YY
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=ASA admin,OU=users,DC=XX,DC=YY
server-type microsoft

Bogdan Nita · ‎12-12-2017

You can use ldap attribute-map.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

chintan0111 · ‎12-12-2017

HI Bogdan,

Thank you for the response, But can you please share configuration example because I am new to ASA and AD also.

If I have xx-user user from xx-ldap-grp LDAP group and it can only login to particuar group-policy xx-grp-policy.

Bogdan Nita · ‎12-13-2017

It looks like you already defined the ldap server, so you will need to define the ldap-map.

ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=xx-ldap-grp LDAP,OU=users,DC=XX,DC=YY xx-grp-policy

When defining the AD group you need to use the Distinguished Name, dsquery can be used for that.
For instance 'dsquery group DC=XX,DC=YY' will show all groups in the domain DC=XX,DC=YY, and then display their distinguished names.
Then you need to apply the ldap-map to the AAA server group:

aaa-server LDAP (inside) host x.x.x.x
ldap-attribute-map LDAP-MAP

In order to prevent users to connect to the wrong group-policy and gain unauthorized access you can configure a noaccess group-policy and assign it as default in the tunnel-group.
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
tunnel-group Anyconnect_LDAP general-attributes
default-group-policy NOACCESS

chintan0111 · ‎12-13-2017

HI Bogdan,
once again thanks for the reply,

So for AD i need to create dsquery group? simple LDAP group will not work? Is this dsquery is something i need to use? Wht is dsquery

Bogdan Nita · ‎12-13-2017

dsquery is a tool that can help you retrieve the group distinguished name you need to configure in the ldap attribute-map

https://technet.microsoft.com/en-us/library/cc732952(v=ws.11).aspx

andre.ortega · ‎12-21-2017

You have to configure a DAP (only possible through ASDM).
Basicaly you will need to create two conditions on DAP:
1) Member of group X
2) VPN Group y
Action = Permit
Have a look here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

chintan0111 · ‎01-07-2018

Thanks for the response Andre!!

Can you give me an example of the same!

andre.ortega · ‎01-08-2018

See the image:

But in your case you will use LDAP attribute (memberOf), and will have to set "User has ALL of the following AAA Attributes...".