Solved: Re: SSL VPN authentication via external AAA

Seifeddine-Tlili · ‎10-05-2010

Greeting all

How can i exchange group policy for the users between an ASA and an external AAA (authentication via ldap or Radius)

Let say i have user1 that i only want him to use groupPolicy "gpSales" for his VPN access, how can the ASA exchange this information with the radius server or LDAP

Thanks

Todd Pula · ‎10-05-2010

Glad to hear you got it working. Please rate this post if you found it helpful.

View solution in original post

Todd Pula · ‎10-05-2010

Using RADIUS, you can implement class attribute 25 to assign users to a particular group policy. Please refer to the doc below. For LDAP, you can use an LDAP attribute map in order to map an LDAP field to a RADIUS attribute that the ASA can understand. For example, you could map the Department field in the LDAP user record to the RADIUS class attribute using an LDAP attribute map.

Group Policy Assignment w/ RADIUS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

Group Policy Assignment w/ LDAP:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Seifeddine-Tlili · ‎10-05-2010

Hi Todd

thanks for the answer but i think the document that you sent me is missing something for the LDAP integration

I`m just confusing about this :

Under connection profile (where i have the link to use SSL ) let say https://SSL-VPN/management i specify a group policy which is managment and i can`t leave as blank so the group ploicy can be assigned dynmically !!

so how i can setup my connection profile to use a dynamic group policy for the SSL VPN connection

Thanks Todd

Todd Pula · ‎10-05-2010

A connection profile is the combination of a tunnel group and group policy. If you do not specifiy a more specific group policy, a tunnel group will default to the DfltGrpPolicy. Configuring an LDAP attribute can override the group policy assignment for users who's configured attribute matches the map statement. In the example doc below, the LDAP memberOf attribute is referenced. This attribute isn't always the best attribute to match because a user can be a member of multiple groups. The ASA, by default, will only match on the first memberOf group in the list. In any event, the LDAP attribute map is configured on the ASA and associated with the LDAP server definition. This LDAP map associates the LDAP attribute (ie. memberOf) to a RADIUS class attribute that the ASA understands. For example, you can have a connection profile configured on the ASA called VPN which is associated with the DfltGrpPolicy. You then configure two more specfic group policies Employee and Vendor. The LDAP attribute map is configured so that a memberOf response of Employee associates the user to the ASA group policy Employee. A memberOf response of Vendor will associate the user to the ASA Vendor group policy. In both cases, the more specific dynamic group policy assignment overrides the deafult configured in the respective tunnel group. This approach is common in scenarios where all users connect to the same alias or group URL, however, need to be assigned different policy attributes.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Seifeddine-Tlili · ‎10-05-2010

Hi Todd

I have actually followed all the steps in the config examples:

this is my actual mapping:

CN=AccesVPN_IT,OU=securite,OU=_groupes,DC=hli,DC=com => venteGP

but when i`m connected via https://@IP and i enter my username and password i can see that the LDAP has failed to map my profile to venteGP

Please see the attached pic

Seifeddine-Tlili · ‎10-05-2010

Hi todd

I got it working by using the Cisco Attribute Group-Policy and not the IETF....

thanks

Todd Pula · ‎10-05-2010

Glad to hear you got it working. Please rate this post if you found it helpful.