12-09-2013 11:35 AM - edited 02-21-2020 07:22 PM
I have LDAP authentication succesfully working, however I cannot get users to be assigned different group-policies on the ASA.
I beleive this is happening because in my tunnel-group I have the "default-group-policy any_connect" defined.
I think this is overriding the LDAP assignment. However when I remove this line any connect doesnt work any longer.
Anyconnect states, when you try to logon, that anyconnect is not configured on the firewall.
Any insight would be appreciated, please see config below.
access-list ob_vpn_filter extended permit object-group DNS_SERVICE any object-group DNS_SERVERS
access-list ob_vpn_filter extended permit ip any 10.104.0.0 255.255.0.0
aaa-server LDAP protocol ldap
max-failed-attempts 5
aaa-server LDAP (inside) host company.com
server-port 636
ldap-base-dn DC=company, DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=CiscoASALDAP, CN=Managed Service Accounts, DC=company, DC=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_MAP_CORP
ldap attribute-map LDAP_MAP_CORP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=OBAdmins, OU=Domain Security Groups, DC=company, DC=com" OB_group
map-value memberOf "CN=WebVPN, OU=Domain Security Groups, DC=company, DC=com" any_connect
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc profiles anyconnectrdp disk0:/anyconnectrdp.xml
svc enable
tunnel-group-list enable
group-policy any_connect internal
group-policy any_connect attributes
dns-server value 10.102.11.13 10.104.12.13
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_FILTER
default-domain value company.com
split-dns none
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value anyconnectrdp
svc ask none default svc
file-browsing enable
group-policy OB_group internal
group-policy OB_group attributes
dns-server value 10.102.11.13 10.104.12.13
vpn-filter value ob_vpn_filter
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_FILTER
default-domain value company.com
split-dns none
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value anyconnectrdp
svc ask none default svc
file-browsing enable
tunnel-group ssl_any_connect type remote-access
tunnel-group ssl_any_connect general-attributes
address-pool ipsecadmin
authentication-server-group LDAP
default-group-policy any_connect
tunnel-group ssl_any_connect webvpn-attributes
group-alias CORP_ANYCONNECT enable
12-11-2013 11:40 AM
Figured out the answer myself.
You need to create a group profile that denies access to everyone and put that in the tunnel-group as the default policy.
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
Then you need to set
vpn-simultaneous-logins on whatever other group-policies you create for anyconnect because it tries to inherit 0 from the NoAccess policy. This vexed me for sometime
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide