Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6280
Views
0
Helpful
3
Replies

LDAP Group Assignments with Tunnel-Group-Lock

Go to solution
andrler
Level 1
Level 1

‎04-30-2010 04:02 PM

Hi, I'm trying to authenticate my VPN users to MS AD, which is working perfectly - the can connect and use their AD logins. However subsequently, I would like to assign different group policies based their security group assignment in AD, which I am trying to achieve with the ldap attribute-map memberOf or Tunnel-Group_Lock.

My understanding is that Tunnel-Group-Lock will assign people to only a specific group policy based on their AD group, which is more suited to my purpose than memberOf.

That said, the first issue is that it doesn't appear to work - users assigned to either Employees_All or Developers_All, can log in using either group authentication creds. After enabling debug ldap 255, I can see that the users are being matched to the apropriate group policy, but it appears to be disregarded.

The second issue is that users that are not assigned to either group can also log in using either group authentication creds. I understand that this is because if there are no matches, it falls back to DfltGrpPolicy. So I changed the vpn-simultaneous-logins on the default policy to 0, which locked everyone out, so I changed vpn-simultaneous-logins on the employees and developers group policies to 10, leavign the default at 0. Everyone was still locked out, until I changed the default back to 3.

I've also looked at the msNPAllowDialin, but don't want to have to go through all the non-vpn users and disable VPN access in AD.

Any suggestions would be greatly appreciated. I think I have to be missing something simple.

Thanks,

Andy.

ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class
  map-value Tunnel-Group-Lock CN=Employees_All,OU=Groups,DC=company,DC=com employees_vpn
  map-value Tunnel-Group-Lock CN=Developers_All,OU=Groups,DC=company,DC=com developers_vpn

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.1.1
 server-port 389
 ldap-base-dn dc=company,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa,OU=users,DC=company,DC=com
 server-type microsoft
 ldap-attribute-map LDAP_map
aaa-server LDAP (inside) host 10.1.1.2
 server-port 389
 ldap-base-dn dc=company,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa,OU=users,DC=company,DC=com
 server-type microsoft
 ldap-attribute-map LDAP_map

group-policy employees_vpn internal
group-policy employees_vpn attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value employees_vpn_split_tunnel_list

tunnel-group employees_vpn type remote-access
tunnel-group employees_vpn general-attributes
 address-pool vpn_pool
 authentication-server-group LDAP
 default-group-policy employees_vpn
tunnel-group employees_vpn ipsec-attributes
 pre-shared-key *****

group-policy developers_vpn internal
group-policy developers_vpn attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value developers_vpn_split_tunnel_list

tunnel-group developers_vpn type remote-access
tunnel-group developers_vpn general-attributes
 address-pool vpn_pool
 authentication-server-group LDAP
 default-group-policy developers_vpn
tunnel-group developers_vpn ipsec-attributes
 pre-shared-key *****
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Carco
Level 1
Level 1

‎04-30-2010 05:32 PM

A very simple example of mapping is using just a random AD  field like 'Department' and populating that with the group-policy name 'employees_vpn' or 'developers_vpn'

ldap attribute-map LDAP_map
  map-name  Department IETF-Radius-Class   <<<-- this is now changed to read 'Group-Policy' in 8.2


I see that you have :
ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class   (tunnel-group-lock is not an Ldap attribute name.

ciscoasa#1(config-ldap-attribute-map)# map-name ?

ldap mode commands/options:
  WORD  Enter Customer Atribute Name.


ciscoasa#1(config-ldap-attribute-map)# map-name department ?

ldap mode commands/options:
cisco-attribute-names:
  Access-Hours
  Allow-Network-Extension-Mode
  Auth-Service-Type
  Authenticated-User-Idle-Timeout
  Authorization-Required
  Authorization-Type
  Banner1
  Banner2
  Cisco-AV-Pair
  Cisco-IP-Phone-Bypass
  Cisco-LEAP-Bypass
  Client-Intercept-DHCP-Configure-Msg
  Client-Type-Version-Limiting
  Confidence-Interval
  DHCP-Network-Scope
  DN-Field
  Firewall-ACL-In
  Firewall-ACL-Out
  Group-Policy   <<<<--- this replaced Ietf-radius-class

You should have a look at this document and specifically the section..

"Advantages of Using DAP Rather Than Group Policies"


DAP provides:
•Flexible VPN policy selection criteria based on AAA or endpoint access attributes.
•Tighter integration with Active Directory attributes (for example, memberOf).
•Aggregation of multiple DAP policies."

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

Regards,

Paul

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Paul Carco
Level 1
Level 1

‎04-30-2010 05:32 PM

A very simple example of mapping is using just a random AD  field like 'Department' and populating that with the group-policy name 'employees_vpn' or 'developers_vpn'

ldap attribute-map LDAP_map
  map-name  Department IETF-Radius-Class   <<<-- this is now changed to read 'Group-Policy' in 8.2


I see that you have :
ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class   (tunnel-group-lock is not an Ldap attribute name.

ciscoasa#1(config-ldap-attribute-map)# map-name ?

ldap mode commands/options:
  WORD  Enter Customer Atribute Name.


ciscoasa#1(config-ldap-attribute-map)# map-name department ?

ldap mode commands/options:
cisco-attribute-names:
  Access-Hours
  Allow-Network-Extension-Mode
  Auth-Service-Type
  Authenticated-User-Idle-Timeout
  Authorization-Required
  Authorization-Type
  Banner1
  Banner2
  Cisco-AV-Pair
  Cisco-IP-Phone-Bypass
  Cisco-LEAP-Bypass
  Client-Intercept-DHCP-Configure-Msg
  Client-Type-Version-Limiting
  Confidence-Interval
  DHCP-Network-Scope
  DN-Field
  Firewall-ACL-In
  Firewall-ACL-Out
  Group-Policy   <<<<--- this replaced Ietf-radius-class

You should have a look at this document and specifically the section..

"Advantages of Using DAP Rather Than Group Policies"


DAP provides:
•Flexible VPN policy selection criteria based on AAA or endpoint access attributes.
•Tighter integration with Active Directory attributes (for example, memberOf).
•Aggregation of multiple DAP policies."

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

Regards,

Paul

0 Helpful

Go to solution
andrler
Level 1
Level 1
In response to Paul Carco

‎07-12-2010 02:01 AM

Hi Paul, thanks for the reply - it's actually taken this long to find some time to play with DAP, which worked well once I got my head around how it worked. I completely got rid of the LDAP attributes and just used DAP with ACL's to accomplish the same thing, which is ultimately a better solution.

If anyone is interested, I can post a working sanitised config.

Thanks,

Andy.

0 Helpful

Go to solution
lus
Level 1
Level 1
In response to andrler

‎02-17-2011 11:01 AM

Hello Andy

Can you send me please a working config of the DAP? At the moment I have problems with ldap, all the users in the active directory can authenticate on the vpn, not only the users in the security group i try to use.

Thanks and regards Lukas

0 Helpful
Customers Also Viewed These Support Documents