Solved: LDAP Attribute Map Match on User not AD Group

rfranzke · ‎03-14-2016

We currently have Anyconnect (client based) up and running on our ASA 5515X running 9.5(1). I am using AD LDAP for authentication and have LDAP attribute maps setup and assigned to our LDAP server config on the ASA. Like many we use these maps to allow the ASA to assign a particular group policy to a user based on AD group membership. I basically have a group in AD for regular VPN users and a group in AD for Admin VPN users. This works pretty well however there are instances where the particular user profile tied to the 'Regular VPN Users' group policy does not work for all users in that AD group. I was trying to find a way to tweak the settings for certain users based on username. Say user A needs VPN establishment from an RDP session, but I don't want every user to have that so I would assign a different group policy\user profile to user A based on AD username which would allow VPN from an RDP session. The remainder of users would still be blocked from allowing VPN from RDP. Here is my basic LDAP attribute map:

ldap attribute-map <map-name>
map-name memberOf Group-Policy
map-value memberOf "LDAP path" <AnyConnect Group Policy name>
map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

Now what I could do here with the config above I think is create a new group policy on the ASA for a certain group of users and then create a new map-value with a new LDAP path which would point to a new group in AD, say 'RDP VPN Users'. I would then add the users I want specific Anyconnect group policies\user profiles assigned to to that particular AD group. But the issue is I would prefer not to have to create so many groups in AD.

What I wanted to know is if there is a way to have an LDAP attribute map value path to a certain AD username somehow. Like if the LDAP path was something like "CN=<username>,OU=users,DC=<domain>,DC=<name>". This way I could assign a group policy to the majority of users in the 'Regular VPN Users' AD group, but then assign a different policy to certain users that need slightly different settings. Would that allow me to match on a certain user and not on an AD group? Does the group-policy cisco-attribute-name treat a user as though it were an AD group? I would guess no but not sure. I looked through the list of cisco-attribute-names but did not see anything that seemed like it worked for AD usernames.

Also if anyone knows a better way to achieve this please let me know as I am open to suggestions. Hopefully this makes sense. Thanks in advance to the community for the help.

Philip D'Ath · ‎03-14-2016

I think you need a completely different approach - DAP (Dynamic Access Policies).

DAP allows you to query lots of things, and you can create additive policies. So if you are a member of group "A" you append this URL. If you are also a member of group "B" you append this ACL. If it can also do other things, like check registry keys, etc.

Check out the DAP deployment guide.

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

I pretty much only use DAP now (and not attribute maps) because of the huge increase in flexibility.

View solution in original post

Philip D'Ath · ‎03-14-2016

I think you need a completely different approach - DAP (Dynamic Access Policies).

DAP allows you to query lots of things, and you can create additive policies. So if you are a member of group "A" you append this URL. If you are also a member of group "B" you append this ACL. If it can also do other things, like check registry keys, etc.

Check out the DAP deployment guide.

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

I pretty much only use DAP now (and not attribute maps) because of the huge increase in flexibility.

rfranzke · ‎03-15-2016

Thanks for the reply here.Yes agreed that DAP is most likely a better way to go with this. I was under the impression that DAP required an Advanced Endpoint Assessment license to function which I did not have when I originally set this up so I used attribute maps. I have never been sure if that means that you can use DAP for auth parameters (AD group membership for example) and not configure policies that require endpoint assessment (presence of registry keys, etc.), or if that means any DAP configured on here would not work. I just went with attribute maps and moved on.

I had to get a different VPN license to enable higher end SSL encryption (TLS 2.0) recently. When I looked at the license today it seems I now have both endpoint assessment and Anyconnect premium enabled now as a result:

AnyConnect Premium Peers : 250 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual

So I should be OK now to use DAP. In looking at the options for DAP for GP assignment, it still seems to only support AD group membership as a way to assign ASA VPN Group Policies (Attribute ID: memberOf). Again to use this I would still need to create multiple AD groups, (as in if user A is part of group A and group B then assign policy A, but if they are just part of group B assign policy B). This will work but requires multiple AD groups configured on domain controllers to work which I was hoping to avoid. Is there no way to just assign a policy based on username? I don't see it in ASDM for DAP configuration.

On a side note, if I now have Anyconnect essentials enabled, what would be the impact to client-based Anyconnect VPN users by turning it off if I now have Anyconect premium licenses available on my ASA. Will they just start using the premium licenses when they connect rather the the essentials licenses. Any impact to the Anyconnect client install portal page? Thanks again for the reply here. Appreciate setting me set straight on this issue.

EDIT: Looking through the link you provided, it seems that DAP takes the place of ASA tunnel groups and group polices. I'll look into the use of DAP some more. Thanks for the link.

Philip D'Ath · ‎03-15-2016

You don't require "Advanced Endpoint Assessment" to use DAP. If you do have such a licence it just means you can do more checks, like antivirus signature updates, etc. Without the licence you can still check AD groups and the like.

I'm not sure with regards to the groups, but DAP is very flexible. See what match options there are, and how you might craft better matches. Remember you can match on other things like registry keys and the like, so perhaps you could check see if the users home directory exists or something. Be creative!

Correct, just turn off essentials and install your premium licences. Remember when you turn off essentials, and if there are no other VPN licences, you automatically get two premium licences (built in). There will be no impact to your users.

Philip D'Ath · ‎03-15-2016

ps. If you think I helped it would be great if you could rate and mark the answer. :-)