need help with vpn, freeradius and dap policies

james.randolph · ‎07-22-2011

Hi,

We have an ASA 5505 and its configured to use a Freeradius server that authenticates against openLDAP. I'm trying to configure Dynamic Access Policies to restrict access based upon what group a user belongs to. In LDAP I have an attribute called vpnaccess with values "systems" and "common". I've created an LDAP Attribute Map mapping the vpnaccess to `Cisco IETF-Radius-Class', mapped the two attribute values to Cisco Attribute Values. I think this is where I get hung up. I created a DAP policy with a AAA Attribute: Radius.25 = vpnAccess. When I connect it doesn't select my DAP policy but falls through and selects the DflltAccessPolicy which I have configured to terminate the connection.

In ASDM under DAP I run Test Dynamic Access Policies...

it selects the correct DAP policy "CiscoMapPolicy", but when I use a client it runs the DfltAccessPolicy.

LUA session data tables:

------------------------

endpoint.application.clienttype = AnyConnect

aaa.radius.25 = vpnAccess

aaa.radius.1 = vpnAccess

aaa.radius.4242 = vpnAccess

aaa.cisco.username = user-name

aaa.cisco.tunnelgroup = TGIVPN

aaa.ldap.memberOf = systems

aaa.ldap.vpnAccess = systems

Selected DAP records

--------------------

CiscoMapPolicy

The DAP policy contains the following attributes for user:

--------------------------------------------------------------------------

1: action = continue

Any ideas where I've gone wrong or can you point me in the right direction?

Thanks in advance.

Clients: SSL/AnyConnect

ASDM: 6.2

ASA: 8.2(1)

Lee Valentin · ‎07-23-2011

You can use the group lock command.

There's a post that describes how to configure. https://supportforums.cisco.com/docs/DOC-1746

I also write about implementing it http://ccsplab.ning.com/profiles/blogs/tunnel-group-lock-and-ldap