cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1698
Views
0
Helpful
3
Replies

Mapping of Group Policies on webvpn with LDAP server

rajesh.gogia
Level 1
Level 1

Hi,

I am trying to configure role base webvpn with the help of LDAP server and configure all settings as per the document details mentioned below

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Initial problem I am facing is when I try to login with Firewall external IP Address  https://10.x.x.x , its checking for local authentication. Not even a single hit we are receiving on LDAP server. If I add LDAP authentication group under default tunnel-group, it works but not as per role base access

and in second case  when I use group URL https://10.x.x.x/market, I am able to login successfully.

Please reply with your suggestion.

Regards

Rajesh

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please share your full config so we can check where the issue might be.

Please find  configuration for reference.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 143.1.2.1 255.255.255.128

!

interface Ethernet0/3

nameif dmz

security-level 50

ip address 143.1.2.1 255.255.254.0

!

interface Management0/0

nameif management

security-level 100

ip address 143.1.3.1 255.255.255.0

management-only

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EST recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 143.1.2.13

name-server 143.1.2.14

same-security-traffic permit intra-interface

object network obj-192.168.253.192

subnet 192.168.253.192 255.255.255.224

object network NETWORK_OBJ_192.168.128.0_25

subnet 192.168.128.0 255.255.255.128

access-list asd extended permit ip any any

access-list no-nat extended permit ip any 192.168.253.192 255.255.255.224

access-list auth extended deny udp any any eq domain

access-list auth extended deny tcp any any eq domain

access-list auth extended permit tcp any any eq www

access-list auth extended permit tcp any any eq https

access-list auth extended permit ip any any

access-list outbound extended permit ip any 192.168.28.0 255.255.255.128

access-list outbound extended deny ip any any

access-list marketing webtype permit url https://powerzone.cummins.com log default

access-list marketing webtype permit url https://documentum.cummins.com log default

access-list marketing webtype permit url https://access.cummins.com log default

access-list marketing webtype permit url ssh://143.1.2.6 log default

pager lines 24

logging enable

logging timestamp

logging standby

logging buffer-size 8192

logging monitor warnings

logging buffered debugging

logging trap informational

logging history notifications

logging asdm informational

logging facility 17

logging class auth buffered debugging

logging class webvpn buffered debugging

logging class dap buffered debugging

mtu outside 1500

mtu inside 1500

mtu EdTest 1500

mtu dmz 1500

mtu management 1500

ip local pool anyconnPool 192.168.28.1-192.168.28.127 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

icmp deny any outside

icmp permit any echo dmz

icmp permit any echo-reply dmz

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.128.0_25 NETWORK_OBJ_192.168.128.0_25

nat (inside,any) source static any any destination static obj-192.168.253.192 obj-192.168.253.192 unidirectional

!

access-group inbound in interface outside

access-group outbound out interface outside

access-group EdTest in interface EdTest

access-group dmz in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map Ciscomap

  map-name  ismemberof Group-Policy

  map-value ismemberof "cn=APPLIANCES_Users,ou=APP_APPLIANCES,ou=Application,dc=cummins,dc=com " marketing

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 146.x.1.1

key *****

authentication-port 1812

accounting-port 1813

aaa-server VPNRadius protocol radius

aaa-server VPNRadius (inside) host 143.1.1.40

key *****

authentication-port 1812

accounting-port 1813

radius-common-pw *****

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 192.168.130.67

ldap-base-dn dc=cummins,dc=com

ldap-scope subtree

ldap-naming-attribute uid

ldap-login-password *****

ldap-login-dn uid=HB127,ou=other,ou=people,dc=cummins,dc=com

server-type sun

ldap-attribute-map Ciscomap

eou allow none

aaa authentication http console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

aaa authorization exec authentication-server

http server enable

snmp-server contact HCL Firewall Operations

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Access Restricted Please provide User Name and Password

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-

192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=cidc-anyconnfw1

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cb1f9b4d

    30820203 3082016c a0030201 020204cb 1f9b4d30 0d06092a 864886f7 0d010105

    05003046 31183016 06035504 03130f63 6964632d 616e7963 6f6e6e66 7731312a

    30280609 2a864886 f70d0109 02161b63 6964632d 616e7963 6f6e6e66 77312e63

    756d6d69 6e732e63 6f6d301e 170d3131 30343134 31343533 35375a17 0d323130

    34313131 34353335 375a3046 31183016 06035504 03130f63 6964632d 616e7963

    6f6e6e66 7731312a 30280609 2a864886 f70d0109 02161b63 6964632d 616e7963

    6f6e6e66 77312e63 756d6d69 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01

    01010500 03818d00 30818902 8181008c 0172f490 08a614c1 43a27497 71f9ef04

    e51a11a2 16c2905e fb8f88c5 c77b789b c9a4b11e 43884f78 21050d63 1331a1c3

    578bc6a5 9cba517b 7c5d2b47 2063c8cc 637db30a bff078d8 e7c67b6c e5836340

    964f2e76 81f9f9e5 228b2f05 3fb8446e 91700970 0843cdb2 1d6bbce4 2369b39e

    62588bc0 1207bf2f 8b3ab662 c5113302 03010001 300d0609 2a864886 f70d0101

    05050003 8181005e d5b26ced 372f1f35 d451a759 074b8f62 463fb70e 99f9db26

    c3082b96 dadc9eba 947dc999 f440164d 32cdacf6 fc4915b5 d76788a0 7e63aac0

    7b3f8bd8 6d377563 491d015e 9f2b3036 b1efa81f 004d61a8 09d6db52 d4b468a6

    362f31f1 9880af75 6bf28a9f 680186b9 c681e01d 05138dd6 630c0a72 fdba9675

    dc354200 7b6afe

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 143.1.1.40 source inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

csd image disk0:/csd_3.6.181-k9.pkg

port-forward Market 21000 143.1.1.10 telnet

tunnel-group-list enable

group-policy webvpn1 internal

group-policy webvpn1 attributes

wins-server value 143.1.1.12

dns-server value 143.1.1.12

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value Webvpn

  http-proxy enable

  anyconnect ask none default webvpn

  smart-tunnel disable

  file-entry enable

  file-browsing enable

  url-entry enable

group-policy DfltGrpPolicy attributes

group-policy GroupPolicy_America_AnyConPSIII internal

group-policy GroupPolicy_America_AnyConPSIII attributes

wins-server value 143.1.1.12

dns-server value 143.1.1.12

vpn-tunnel-protocol l2tp-ipsec

default-domain value cummins.com

group-policy marketing internal

group-policy marketing attributes

wins-server value 143.1.1.12

dns-server value 143.1.1.12

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value access

  filter value marketing

  http-proxy enable

  anyconnect ask none default webvpn

  customization value market

  smart-tunnel disable

  file-entry enable

  file-browsing enable

  url-entry enable

group-policy amervpnconnect3 internal

group-policy amervpnconnect3 attributes

banner value This computer network and resources attached to it are intended for business use by Cummins Inc. employees and authorized representatives

(contractors, suppliers, etc.). Any use is subject to the policies of Cummins Inc., including those relating to the treatment of others and inappropriate Internet

usage. Failure to comply with all policies, procedures, and standards may be cause for disciplinary or legal action. Please exit immediately if you are not

authorized to be here.

wins-server value 143.1.1.12

dns-server value 143.1.1.12

vpn-idle-timeout 60

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

default-domain value cummins.com

group-policy Anyconn internal

group-policy Anyconn attributes

wins-server value 143.1.1.12

dns-server value 143.1.1.12

vpn-tunnel-protocol l2tp-ipsec

default-domain value cummins.com

username test password Kg/Rgy23do7gPGTv encrypted

username test attributes

service-type remote-access

username cisco password a8SLoAY7fke65jkx encrypted privilege 15

tunnel-group America_AnyConPSIII type remote-access

tunnel-group America_AnyConPSIII general-attributes

address-pool anyconnPool

authentication-server-group RADIUS

default-group-policy GroupPolicy_America_AnyConPSIII

tunnel-group America_AnyConPSIII webvpn-attributes

group-alias America_AnyConPSIII disable

group-alias aaaa disable

tunnel-group CIDC-ANYCONN type remote-access

tunnel-group CIDC-ANYCONN general-attributes

address-pool (outside) anyconnPool

address-pool anyconnPool

authentication-server-group VPNRadius

authentication-server-group (outside) VPNRadius

default-group-policy Anyconn

tunnel-group CIDC-ANYCONN webvpn-attributes

group-alias CIDC-ANYCONN disable

group-alias anyconn enable

group-url https://cidc-anyconn.cummins.com/anyconn enable

tunnel-group amervpnconnect3 type remote-access

tunnel-group amervpnconnect3 general-attributes

address-pool anyconnPool

authentication-server-group VPNRadius

default-group-policy amervpnconnect3

tunnel-group amervpnconnect3 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group webvpn type remote-access

tunnel-group webvpn general-attributes

authentication-server-group LDAP

authentication-server-group (outside) LDAP

default-group-policy webvpn1

tunnel-group webvpn webvpn-attributes

wins-server value 143.1.1.12 timeout 2 retry 2

dns-server value 143.1.1.12 timeout 2 retry 2

group-alias Webvpn1 enable

group-url https://10.1.1.1/Webvpn1 enable

tunnel-group marketing type remote-access

tunnel-group marketing general-attributes

authentication-server-group LDAP

default-group-policy marketing

tunnel-group marketing webvpn-attributes

customization market

wins-server value 143.1.1.12 timeout 2 retry 2

dns-server value 143.1.1.12 timeout 2 retry 2

  group-alias Market enable

group-url https://10.1.1.1/market enable

!

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect im impolicy

description Block Instant Messaging

parameters

match protocol msn-im yahoo-im

  drop-connection log

policy-map IM

class imblock

  inspect im impolicy

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5ed5727d9b7dc939b3b184ef83922781

: end

cidc-anyconnSLab#

The reason why it doesn't work when you log in with https://10.x.x.x is because you have multiple tunnel-group configured, and you have chosen to use group-url instead of alias.

I can see that you have multiple tunnel-group for ssl vpn with some authenticating to radius server instead of ldap. Are you planning to use those?

If not, you can just configure 1 tunnel-group, and use ldap attribute-map to map them to the corresponding group-policy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: