Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3156
Views
5
Helpful
10
Replies

Securing AnyConnect with LDAP (attribute map)

Peter Long
Level 1
Level 1

‎02-02-2016 04:35 AM - edited ‎02-21-2020 08:39 PM

Hi,

I can't get this to work and have made a fundamental error? If I run a test authentication on the ASA it is successfull (if the user is in the VPN-Users group or not which is surprising?

Anyway AnyConnect fails to authenticate at all?

Config

ip local pool PNL-POOL-ANYCONNECT 192.168.199.1-192.168.199.254 mask 255.255.255.0

!

object network OBJ-ANYCONNECT-SUBNET

 subnet 192.168.199.0 255.255.255.0

!

nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

nat (DMZ,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

!

access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0 

access-list SPLIT-TUNNEL standard permit 192.168.200.0 255.255.255.0 

access-list SPLIT-TUNNEL standard permit 192.168.201.0 255.255.255.0 

access-list SPLIT-TUNNEL standard permit 192.168.254.0 255.255.255.0 

access-list SPLIT-TUNNEL standard permit 192.168.101.0 255.255.255.0

!

ldap attribute-map PNL-ATTRIBUTE-MAP

  map-name  memberOf Group-Policy

  map-value memberOf cn=VPN-Users,dc=pnl,dc=com PNL-GP-ANYCONNECT-ACCESS

!

aaa-server PNL-LDAP-SERVER protocol ldap 

aaa-server PNL-LDAP-SERVER (inside) host 192.168.100.10

 ldap-base-dn dc=pnl,dc=com     

 ldap-scope subtree 

 ldap-naming-attribute sAMAccountName

 ldap-login-password Inf0sys1

 ldap-login-dn cn=asa,OU=ServiceAccounts,OU=PNL,dc=pnl,dc=com

 server-type auto-detect

 ldap-attribute-map PNL-ATTRIBUTE-MAP

!

webvpn

 enable outside

 anyconnect image disk0:/anyconnect-macosx-i386-4.0.00061-k9.pkg 1

 anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 2

 anyconnect profiles PNL-Profile disk0:/pnl-profile.xml

 anyconnect enable

 tunnel-group-list enable

!

group-policy PNL-GP-NO-ACCESS internal

group-policy PNL-GP-NO-ACCESS attributes

 vpn-simultaneous-logins 0

group-policy DfltGrpPolicy attributes

 vpn-simultaneous-logins 0

!

group-policy PNL-GP-ANYCONNECT-ACCESS internal

group-policy PNL-GP-ANYCONNECT-ACCESS attributes

 wins-server none

 dns-server value 192.168.100.10

 vpn-simultaneous-logins 3

 vpn-tunnel-protocol ssl-client 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value SPLIT-TUNNEL

 default-domain value petenetlive.com

 webvpn

  anyconnect profiles value PNL-Profile type user

!

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group PNL-LDAP-SERVER

!

tunnel-group PNL-TG-ANYCONNECT-ACCESS type remote-access

tunnel-group PNL-TG-ANYCONNECT-ACCESS general-attributes

 address-pool PNL-POOL-ANYCONNECT

 authentication-server-group PNL-LDAP-SERVER LOCAL

 default-group-policy PNL-GP-NO-ACCESS 

!

tunnel-group PNL-TG-ANYCONNECT-ACCESS webvpn-attributes

 group-alias PNL-TG-ANYCONNECT-ACCESS enable

Debug

[11912] Session Start
[11912] New request Session, context 0xadeafea4, reqType = Authentication
[11912] Fiber started
[11912] Creating LDAP context with uri=ldap://192.168.100.10:389
[11912] Connect to LDAP server: ldap://192.168.100.10:389, status = Successful
[11912] supportedLDAPVersion: value = 3
[11912] supportedLDAPVersion: value = 2
[11912] LDAP server 192.168.100.10 is Active directory
[11912] Binding as asa
[11912] Performing Simple authentication for asa to 192.168.100.10
[11912] LDAP Search:
Base DN = [dc=pnl,dc=com ]
Filter = [sAMAccountName=pete.long]
Scope = [SUBTREE]
[11912] User DN = [CN=PeteLong,OU=Users,OU=PNL,DC=pnl,DC=com]
[11912] Talking to Active Directory server 192.168.100.10
[11912] Reading password policy for pete.long, dn:CN=PeteLong,OU=Users,OU=PNL,DC=pnl,DC=com
[11912] Read bad password count 0
[11912] Binding as pete.long
[11912] Performing Simple authentication for pete.long to 192.168.100.10
[11912] Processing LDAP response for user pete.long
[11912] Message (pete.long):
[11912] Authentication successful for pete.long to 192.168.100.10
[11912] Retrieved User Attributes:
[11912] objectClass: value = top
[11912] objectClass: value = person
[11912] objectClass: value = organizationalPerson
[11912] objectClass: value = user
[11912] cn: value = PeteLong
[11912] sn: value = Long
[11912] givenName: value = Pete
[11912] distinguishedName: value = CN=PeteLong,OU=Users,OU=PNL,DC=pnl,DC=com
[11912] instanceType: value = 4
[11912] whenCreated: value = 20160201213618.0Z
[11912] whenChanged: value = 20160201221027.0Z
[11912] displayName: value = Pete Long
[11912] uSNCreated: value = 25483
[11912] memberOf: value = CN=VPN-Users,DC=pnl,DC=com
[11912] mapped to Group-Policy: value = CN=VPN-Users,DC=pnl,DC=com
[11912] mapped to LDAP-Class: value = CN=VPN-Users,DC=pnl,DC=com
[11912] uSNChanged: value = 25511
[11912] name: value = PeteLong
[11912] objectGUID: value = .'b`.h.G..[.es..
[11912] userAccountControl: value = 66048
[11912] badPwdCount: value = 0
[11912] codePage: value = 0
[11912] countryCode: value = 0
[11912] badPasswordTime: value = 0
[11912] lastLogoff: value = 0
[11912] lastLogon: value = 0
[11912] pwdLastSet: value = 130988361782420738
[11912] primaryGroupID: value = 513
[11912] objectSid: value = ..................)'.-d.S...
[11912] accountExpires: value = 9223372036854775807
[11912] logonCount: value = 0
[11912] sAMAccountName: value = pete.long
[11912] sAMAccountType: value = 805306368
[11912] userPrincipalName: value = pete.long@pnl.com
[11912] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=pnl,DC=com
[11912] dSCorePropagationData: value = 16010101000000.0Z
[11912] lastLogonTimestamp: value = 130988382277464683
[11912] Fiber exit Tx=544 bytes Rx=2569 bytes, status=1
[11912] Session End

Operation timed out

Anyone got a clue?

Pete

Labels:
0 Helpful
10 Replies 10

Jimmy Gerardo Campos Cortes
Cisco Employee
Cisco Employee

‎02-02-2016 11:26 AM

Hi Pete,

If you doing the test on the ASDM or ASA itself it does not try to connect to any of the group-policies so it will just authenticate to the server. Can you test the connection from AnyConnect, using alias: PNL-TG-ANYCONNECT-ACCESS.

It should apply the mapping and only let the users on the specified group to connect.

Let me know if you have any problem.

Jimmy C

0 Helpful

Peter Long
Level 1
Level 1
In response to Jimmy Gerardo Campos Cortes

‎02-02-2016 01:54 PM

That debug is from a failed connection with the Anyconnect client,

If I run a test 

test aaa-server authentication PNL-LDAP-SERVER host 192.168.100.10 username pete.long password notarealpassword

That works fine (As you have stated it should do).

But it wont authenticate my AnyConnect user.

Only one user (pete.long) is in the VPN-Users group.

Pete

0 Helpful

Sebastian Velez
Level 1
Level 1

‎02-02-2016 12:20 PM

Peter,

As you can see on the debug, the authentication for your user is successful:

[11912] Authentication successful for pete.long to 192.168.100.10

What is weird is that I don’t see its being mapped to the group-policy:

[11912] mapped to Group-Policy: value = CN=VPN-Users,DC=pnl,DC=com

You should be seeing something like this:

[11912] mapped to Group-Policy: value = PNL-GP-ANYCONNECT-ACCESS

Could you access the active directly, open CMD and run the following commands:

dsquery user pete.long –samid

dsquery group (name of the group he belongs under AD) -samid

Peter Long
Level 1
Level 1
In response to Sebastian Velez

‎02-02-2016 01:51 PM

I struggled with that syntax, was this what you meant?

C:\Users\Administrator>dsquery user -samid pete.long
"CN=PeteLong,OU=Users,OU=PNL,DC=pnl,DC=com"

C:\Users\Administrator>dsquery group -samid VPN-Users
"CN=VPN-Users,DC=pnl,DC=com"

Pete

0 Helpful

Sebastian Velez
Level 1
Level 1
In response to Peter Long

‎02-03-2016 04:56 AM

Peter,

What happens if you enter the following command and try again with the same user:

map-value memberOf CN=PeteLong,OU=Users,OU=PNL,DC=pnl,DC=com PNL-GP-ANYCONNECT-ACCESS

0 Helpful

Peter Long
Level 1
Level 1
In response to Sebastian Velez

‎02-03-2016 05:31 AM

Hi Sebastian

Then I don't even get debug output :)

Pete

0 Helpful

Peter Long
Level 1
Level 1
In response to Sebastian Velez

‎02-03-2016 12:44 PM

Hi Sabastian

Once again thanks for your help, In the end I found it a lot easier to use LDAP and DAP to do the same thing. For anyone else having the same problem here's how I fixed it.

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Pete

0 Helpful

Sebastian Velez
Level 1
Level 1

‎03-08-2016 09:22 AM

Pete,

Which OS version are you running on the ASA?

0 Helpful

Peter Long
Level 1
Level 1
In response to Sebastian Velez

‎03-08-2016 10:03 AM

9.2(2) I think?

0 Helpful

Sebastian Velez
Level 1
Level 1
In response to Peter Long

‎03-18-2016 06:32 AM

Pete,

Is the user member of lets say Group A and Group A is member of Group B?

I found the following bug CSCso24147:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCso24147

Besides that there is no other reason why the LDAP authentication its not working. Maybe you could move to a different version in order to see if its a different bug.

0 Helpful
Customers Also Viewed These Support Documents