Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4706
Views
0
Helpful
2
Replies

Locking down Anyconnect authentication to AD Group

Go to solution
Jeffrey Warn
Level 1
Level 1

‎11-29-2011 01:13 PM - edited ‎02-21-2020 05:44 PM

I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2

I've found the documentation on how to prevent logins using the  msNPAllowDialin attribute, but not how to base it on group membership (memberOf)

This is what I have configured:

ldap attribute-map AllowVPN
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN Users,OU=Groups,OU=City,OU=Country,DC=us,DC=mydom,DC=net" TESTGROUP

aaa-server ADAUTH (inside) host 10.1.1.1
 server-port 389
 ldap-base-dn DC=us,DC=mydom,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Public,OU=Service,OU=City,OU=Country,DC=us,DC=mydom,DC=net
 server-type microsoft
ldap-attribute-map AllowVPN

Do I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-29-2011 04:01 PM

Jeff (if I may),

You can do terminate/continue/banner options based on information received during different phases in DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Note "figured 6" indicating usage of "memberOf".

It requires some testing but DAP looks to me like a natural way to go.

Marcin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-29-2011 04:01 PM

Jeff (if I may),

You can do terminate/continue/banner options based on information received during different phases in DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Note "figured 6" indicating usage of "memberOf".

It requires some testing but DAP looks to me like a natural way to go.

Marcin

0 Helpful

Go to solution
Jeffrey Warn
Level 1
Level 1
In response to Marcin Latosiewicz

‎11-30-2011 08:13 AM

Thanks, DAP does seem to be the way to go with this. I found a similar article to what you posted last night which confirmed the same type of screenshots.

I will just have to set time aside to update my policies on my ASA to take advantage of this. I guess as a best practice in the future, I need to make sure I update the DfltAccessPolicy to Terminate from the start, because I have a number of production services on my ASA which could be effected if I do change it now.

Thanks!

Jeff

0 Helpful
Customers Also Viewed These Support Documents