cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
1
Replies

LDAP with Anyconnect, assigning users to different group-policies

David Tamburin
Level 1
Level 1

I have LDAP authentication succesfully working, however I cannot get users to be assigned different group-policies on the ASA.

I beleive this is happening because in my tunnel-group I have the "default-group-policy any_connect" defined.

I think this is overriding the LDAP assignment.  However when I remove this line any connect doesnt work any longer.

Anyconnect states, when you try to logon, that anyconnect is not configured on the firewall.

Any insight would be appreciated, please see config below.

access-list ob_vpn_filter extended permit object-group DNS_SERVICE any object-group DNS_SERVERS

access-list ob_vpn_filter extended permit ip any 10.104.0.0 255.255.0.0

aaa-server LDAP protocol ldap

max-failed-attempts 5

aaa-server LDAP (inside) host company.com

server-port 636

ldap-base-dn DC=company, DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=CiscoASALDAP, CN=Managed Service Accounts, DC=company, DC=com

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map LDAP_MAP_CORP

ldap attribute-map LDAP_MAP_CORP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=OBAdmins, OU=Domain Security Groups, DC=company, DC=com" OB_group

  map-value memberOf "CN=WebVPN, OU=Domain Security Groups, DC=company, DC=com" any_connect

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2

svc profiles anyconnectrdp disk0:/anyconnectrdp.xml

svc enable

tunnel-group-list enable

group-policy any_connect internal

group-policy any_connect attributes

dns-server value 10.102.11.13 10.104.12.13

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_FILTER

default-domain value company.com

split-dns none

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc profiles value anyconnectrdp

  svc ask none default svc

  file-browsing enable

group-policy OB_group internal

group-policy OB_group attributes

dns-server value 10.102.11.13 10.104.12.13

vpn-filter value ob_vpn_filter

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_FILTER

default-domain value company.com

split-dns none

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc profiles value anyconnectrdp

  svc ask none default svc

  file-browsing enable

tunnel-group ssl_any_connect type remote-access

tunnel-group ssl_any_connect general-attributes

address-pool ipsecadmin

authentication-server-group LDAP

default-group-policy any_connect

tunnel-group ssl_any_connect webvpn-attributes

group-alias CORP_ANYCONNECT enable

1 Reply 1

David Tamburin
Level 1
Level 1

Figured out the answer myself.

You need to create a group profile that denies access to everyone and put that in the tunnel-group as the default policy.

group-policy NoAccess internal

group-policy NoAccess attributes

vpn-simultaneous-logins 0

Then you need to set

vpn-simultaneous-logins on whatever other group-policies you create for anyconnect because it tries to inherit 0 from the NoAccess policy.  This vexed me for sometime