Solved: ldap vpn asa anyconnect

ciscoenginner79 · ‎05-07-2019

HI Guys.

I have an issue to configure vpn connectio based on ldap authentication. I will exlpain little bit what i try to achive.

I want to allow vpn connection only for user in specific user i have configured ldap,noaccess group-policy and so on. when i tried to connect using anyconnect login faild but test authentication on asa is successful. Below debugs logs and configuration.

Session Start
[18397] New request Session, context 0x00007f632184cce8, reqType = Authentication
[18397] Fiber started
[18397] Creating LDAP context with uri=ldap://10.113.100.2:389
[18397] Connect to LDAP server: ldap://10.113.100.2:389, status = Successful
[18397] supportedLDAPVersion: value = 3
[18397] supportedLDAPVersion: value = 2
[18397] Binding as Vmware Firepower
[18397] Performing Simple authentication for Vmware Firepower to 10.113.100.2
[18397] LDAP Search:
Base DN = [DC=XXX,DC=pl]
Filter = [samaccountname=John.Smith-s]
Scope = [SUBTREE]
[18397] User DN = [CN=John Smith-SA,OU=Admins,DC=XXX,DC=pl]
[18397] Talking to Active Directory server 10.113.100.2
[18397] Reading password policy for John.Smith-s, dn:CN=John Smith-SA,OU=Admins,DC=XXX,DC=pl
[18397] Read bad password count 1
[18397] Binding as John.Smith-s
[18397] Performing Simple authentication for John.Smith-s to 10.113.100.2
[18397] Processing LDAP response for user John.Smith-s
[18397] Message (John.Smith-s):
[18397] Authentication successful for John.Smith-s to 10.113.100.2
[18397] Retrieved User Attributes:
[18397] objectClass: value = top
[18397] objectClass: value = person
[18397] objectClass: value = organizationalPerson
[18397] objectClass: value = user
[18397] cn: value = John Smith-SA
[18397] sn: value = Smith-SA
[18397] givenName: value = John
[18397] distinguishedName: value = CN=John Smith-SA,OU=Admins,DC=XXX,DC=pl
[18397] instanceType: value = 4
[18397] whenCreated: value = 20180102115225.0Z
[18397] whenChanged: value = 20190429091227.0Z
[18397] displayName: value = John Smith-SA
[18397] uSNCreated: value = 1610630
[18397] memberOf: value = CN=vpn_admins,OU=Groups,OU=XXX,DC=XXX,DC=pl
[18397] mapped to Group-Policy: value = GroupPolicy_MGMT
[18397] mapped to LDAP-Class: value = GroupPolicy_MGMT
[18397] memberOf: value = CN=Administrators,CN=Builtin,DC=XXX,DC=pl
[18397] mapped to Group-Policy: value = CN=Administrators,CN=Builtin,DC=XXX,DC=pl
[18397] mapped to LDAP-Class: value = CN=Administrators,CN=Builtin,DC=XXX,DC=pl
[18397] uSNChanged: value = 8674308
[18397] name: value = John Smith-SA
[18397] objectGUID: value = +?.....M...0..-.
[18397] userAccountControl: value = 512
[18397] badPwdCount: value = 1
[18397] codePage: value = 0
[18397] countryCode: value = 0
[18397] badPasswordTime: value = 132016954184484377
[18397] lastLogoff: value = 0
[18397] lastLogon: value = 132010027473734252
[18397] pwdLastSet: value = 132010026563628654
[18397] primaryGroupID: value = 513
[18397] objectSid: value = .................1Z....2,...
[18397] adminCount: value = 1
[18397] accountExpires: value = 9223372036854775807
[18397] logonCount: value = 25
[18397] sAMAccountName: value = John.Smith-S
[18397] sAMAccountType: value = 805306368
[18397] userPrincipalName: value = John.Smith-SA@XXX.pl
[18397] lockoutTime: value = 0
[18397] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=XXX,DC=pl
[18397] dSCorePropagationData: value = 20180102124859.0Z
[18397] dSCorePropagationData: value = 16010101000000.0Z
[18397] lastLogonTimestamp: value = 132010027473734252
[18397] Fiber exit Tx=584 bytes Rx=2837 bytes, status=1
[18397] Session End

ldap attribute-map vpn_admins_map
map-name memberOf Group-Policy
map-value memberOf "CN=vpn_admins,OU=Groups,OU=XXX,DC=XXX,DC=pl" GroupPolicy_MGMT

tunnel-group MGMT type remote-access
tunnel-group MGMT general-attributes
address-pool VPN_PGS_Lan
authentication-server-group RALDAP LOCAL
default-group-policy NOACCESS
tunnel-group MGMT webvpn-attributes
group-alias MGMT enable

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

aaa-server RALDAP protocol ldap
realm-id 1
aaa-server RALDAP (INTER) host 10.113.100.2
timeout 5
ldap-base-dn DC=XXX,DC=pl
ldap-group-base-dn DC=XXX,DC=pl
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn CN=Vmware Firepower,OU=Admins,DC=XXX,DC=pl
server-type microsoft
ldap-attribute-map vpn_admins_map
group-search-timeout 5
aaa-server RALDAP (INTER) host 10.113.100.3
timeout 5
ldap-base-dn DC=XXX,DC=pl
ldap-group-base-dn DC=XXX,DC=pl
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn CN=Vmware Firepower,OU=Admins,DC=XXX,DC=pl
server-type microsoft
ldap-attribute-map vpn_admins_map
group-search-timeout 5

test aaa-server authentication RALDAP host 10.113.100.2
Username: John.Smith-s
Password: ***********
INFO: Attempting Authentication test to IP address (10.113.100.2) (timeout: 10 seconds)
INFO: Authentication Successful

LOGIN FAILED THROUGH ANYCONNECT VPN.

Please give me some advice what is wrong. I read all cisco comuunity topics etc. and no solution sofar

Thanks

ciscoenginner79 · ‎05-09-2019

Solved!!!.

VPN-simultaneously-login of GroupPolicy you must be deferent than Inherit

View solution in original post

ciscoenginner79 · ‎05-09-2019

Solved!!!.

VPN-simultaneously-login of GroupPolicy you must be deferent than Inherit