Mapping of Group Policies on webvpn with LDAP server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2012 07:26 AM
Hi,
I am trying to configure role base webvpn with the help of LDAP server and configure all settings as per the document details mentioned below
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Initial problem I am facing is when I try to login with Firewall external IP Address https://10.x.x.x , its checking for local authentication. Not even a single hit we are receiving on LDAP server. If I add LDAP authentication group under default tunnel-group, it works but not as per role base access
and in second case when I use group URL https://10.x.x.x/market, I am able to login successfully.
Please reply with your suggestion.
Regards
Rajesh
- Labels:
-
VPN

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2012 11:27 PM
Can you please share your full config so we can check where the issue might be.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2012 09:31 AM
Please find configuration for reference.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 143.1.2.1 255.255.255.128
!
interface Ethernet0/3
nameif dmz
security-level 50
ip address 143.1.2.1 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 143.1.3.1 255.255.255.0
management-only
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 143.1.2.13
name-server 143.1.2.14
same-security-traffic permit intra-interface
object network obj-192.168.253.192
subnet 192.168.253.192 255.255.255.224
object network NETWORK_OBJ_192.168.128.0_25
subnet 192.168.128.0 255.255.255.128
access-list asd extended permit ip any any
access-list no-nat extended permit ip any 192.168.253.192 255.255.255.224
access-list auth extended deny udp any any eq domain
access-list auth extended deny tcp any any eq domain
access-list auth extended permit tcp any any eq www
access-list auth extended permit tcp any any eq https
access-list auth extended permit ip any any
access-list outbound extended permit ip any 192.168.28.0 255.255.255.128
access-list outbound extended deny ip any any
access-list marketing webtype permit url https://powerzone.cummins.com log default
access-list marketing webtype permit url https://documentum.cummins.com log default
access-list marketing webtype permit url https://access.cummins.com log default
access-list marketing webtype permit url ssh://143.1.2.6 log default
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 8192
logging monitor warnings
logging buffered debugging
logging trap informational
logging history notifications
logging asdm informational
logging facility 17
logging class auth buffered debugging
logging class webvpn buffered debugging
logging class dap buffered debugging
mtu outside 1500
mtu inside 1500
mtu EdTest 1500
mtu dmz 1500
mtu management 1500
ip local pool anyconnPool 192.168.28.1-192.168.28.127 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any outside
icmp permit any echo dmz
icmp permit any echo-reply dmz
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.128.0_25 NETWORK_OBJ_192.168.128.0_25
nat (inside,any) source static any any destination static obj-192.168.253.192 obj-192.168.253.192 unidirectional
!
access-group inbound in interface outside
access-group outbound out interface outside
access-group EdTest in interface EdTest
access-group dmz in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map Ciscomap
map-name ismemberof Group-Policy
map-value ismemberof "cn=APPLIANCES_Users,ou=APP_APPLIANCES,ou=Application,dc=cummins,dc=com " marketing
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 146.x.1.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server VPNRadius protocol radius
aaa-server VPNRadius (inside) host 143.1.1.40
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.130.67
ldap-base-dn dc=cummins,dc=com
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password *****
ldap-login-dn uid=HB127,ou=other,ou=people,dc=cummins,dc=com
server-type sun
ldap-attribute-map Ciscomap
eou allow none
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authorization exec authentication-server
http server enable
snmp-server contact HCL Firewall Operations
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Access Restricted Please provide User Name and Password
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-
192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=cidc-anyconnfw1
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate cb1f9b4d
30820203 3082016c a0030201 020204cb 1f9b4d30 0d06092a 864886f7 0d010105
05003046 31183016 06035504 03130f63 6964632d 616e7963 6f6e6e66 7731312a
30280609 2a864886 f70d0109 02161b63 6964632d 616e7963 6f6e6e66 77312e63
756d6d69 6e732e63 6f6d301e 170d3131 30343134 31343533 35375a17 0d323130
34313131 34353335 375a3046 31183016 06035504 03130f63 6964632d 616e7963
6f6e6e66 7731312a 30280609 2a864886 f70d0109 02161b63 6964632d 616e7963
6f6e6e66 77312e63 756d6d69 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 8181008c 0172f490 08a614c1 43a27497 71f9ef04
e51a11a2 16c2905e fb8f88c5 c77b789b c9a4b11e 43884f78 21050d63 1331a1c3
578bc6a5 9cba517b 7c5d2b47 2063c8cc 637db30a bff078d8 e7c67b6c e5836340
964f2e76 81f9f9e5 228b2f05 3fb8446e 91700970 0843cdb2 1d6bbce4 2369b39e
62588bc0 1207bf2f 8b3ab662 c5113302 03010001 300d0609 2a864886 f70d0101
05050003 8181005e d5b26ced 372f1f35 d451a759 074b8f62 463fb70e 99f9db26
c3082b96 dadc9eba 947dc999 f440164d 32cdacf6 fc4915b5 d76788a0 7e63aac0
7b3f8bd8 6d377563 491d015e 9f2b3036 b1efa81f 004d61a8 09d6db52 d4b468a6
362f31f1 9880af75 6bf28a9f 680186b9 c681e01d 05138dd6 630c0a72 fdba9675
dc354200 7b6afe
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 143.1.1.40 source inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/csd_3.6.181-k9.pkg
port-forward Market 21000 143.1.1.10 telnet
tunnel-group-list enable
group-policy webvpn1 internal
group-policy webvpn1 attributes
wins-server value 143.1.1.12
dns-server value 143.1.1.12
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Webvpn
http-proxy enable
anyconnect ask none default webvpn
smart-tunnel disable
file-entry enable
file-browsing enable
url-entry enable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy_America_AnyConPSIII internal
group-policy GroupPolicy_America_AnyConPSIII attributes
wins-server value 143.1.1.12
dns-server value 143.1.1.12
vpn-tunnel-protocol l2tp-ipsec
default-domain value cummins.com
group-policy marketing internal
group-policy marketing attributes
wins-server value 143.1.1.12
dns-server value 143.1.1.12
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value access
filter value marketing
http-proxy enable
anyconnect ask none default webvpn
customization value market
smart-tunnel disable
file-entry enable
file-browsing enable
url-entry enable
group-policy amervpnconnect3 internal
group-policy amervpnconnect3 attributes
banner value This computer network and resources attached to it are intended for business use by Cummins Inc. employees and authorized representatives
(contractors, suppliers, etc.). Any use is subject to the policies of Cummins Inc., including those relating to the treatment of others and inappropriate Internet
usage. Failure to comply with all policies, procedures, and standards may be cause for disciplinary or legal action. Please exit immediately if you are not
authorized to be here.
wins-server value 143.1.1.12
dns-server value 143.1.1.12
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelall
default-domain value cummins.com
group-policy Anyconn internal
group-policy Anyconn attributes
wins-server value 143.1.1.12
dns-server value 143.1.1.12
vpn-tunnel-protocol l2tp-ipsec
default-domain value cummins.com
username test password Kg/Rgy23do7gPGTv encrypted
username test attributes
service-type remote-access
username cisco password a8SLoAY7fke65jkx encrypted privilege 15
tunnel-group America_AnyConPSIII type remote-access
tunnel-group America_AnyConPSIII general-attributes
address-pool anyconnPool
authentication-server-group RADIUS
default-group-policy GroupPolicy_America_AnyConPSIII
tunnel-group America_AnyConPSIII webvpn-attributes
group-alias America_AnyConPSIII disable
group-alias aaaa disable
tunnel-group CIDC-ANYCONN type remote-access
tunnel-group CIDC-ANYCONN general-attributes
address-pool (outside) anyconnPool
address-pool anyconnPool
authentication-server-group VPNRadius
authentication-server-group (outside) VPNRadius
default-group-policy Anyconn
tunnel-group CIDC-ANYCONN webvpn-attributes
group-alias CIDC-ANYCONN disable
group-alias anyconn enable
group-url https://cidc-anyconn.cummins.com/anyconn enable
tunnel-group amervpnconnect3 type remote-access
tunnel-group amervpnconnect3 general-attributes
address-pool anyconnPool
authentication-server-group VPNRadius
default-group-policy amervpnconnect3
tunnel-group amervpnconnect3 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group webvpn type remote-access
tunnel-group webvpn general-attributes
authentication-server-group LDAP
authentication-server-group (outside) LDAP
default-group-policy webvpn1
tunnel-group webvpn webvpn-attributes
wins-server value 143.1.1.12 timeout 2 retry 2
dns-server value 143.1.1.12 timeout 2 retry 2
group-alias Webvpn1 enable
group-url https://10.1.1.1/Webvpn1 enable
tunnel-group marketing type remote-access
tunnel-group marketing general-attributes
authentication-server-group LDAP
default-group-policy marketing
tunnel-group marketing webvpn-attributes
customization market
wins-server value 143.1.1.12 timeout 2 retry 2
dns-server value 143.1.1.12 timeout 2 retry 2
group-alias Market enable
group-url https://10.1.1.1/market enable
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
description Block Instant Messaging
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map IM
class imblock
inspect im impolicy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5ed5727d9b7dc939b3b184ef83922781
: end
cidc-anyconnSLab#

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2012 05:33 PM
The reason why it doesn't work when you log in with https://10.x.x.x is because you have multiple tunnel-group configured, and you have chosen to use group-url instead of alias.
I can see that you have multiple tunnel-group for ssl vpn with some authenticating to radius server instead of ldap. Are you planning to use those?
If not, you can just configure 1 tunnel-group, and use ldap attribute-map to map them to the corresponding group-policy.
