SSL VPN Group-Lock problem

mbsshoards · ‎03-21-2013

Hi,

I am trying to lock groups to a specific tunnel group but unfortunitly no matter what I do the group-lock feature doesnt seem to work. Basically here is what I want to do:

1-Users detail is pulled from AD through LDAP

2-AD group is mapped to the appropriate group on the ASA using attribute mapping

3-user should only use the tunnel that he/she is locked to

4-this all should be done without the user needing to select a group the vpn portal

5-we will be using Any connect and VPN portal for communication

All works fine except the group-lock feature. If enabled and set to "group-lock value NET_ADMIN_G" I get the following error on debug webvpn and the user is not allowed in.

webvpn_auth.c:http_webvpn_post_authentication[1503]

WebVPN: user: (test) authenticated.

webvpn_auth.c:http_webvpn_auth_accept[2905]

User came in on group he wasn't supposed to come in on!

when removed no matter what I do the user is mapped to DefaultWEBVPNGroup tunnel group,

SSLVPN(config-group-policy)# sho vpn-sessiondb webvpn

Session Type: WebVPN

Username : test Index : 132

Public IP : 10.1.1.1

Protocol : Clientless

License : AnyConnect Premium

Encryption : Clientless: (1)AES256 Hashing : Clientless: (1)SHA1

Bytes Tx : 252897 Bytes Rx : 48894

Group Policy : NET_ADMIN Tunnel Group : DefaultWEBVPNGroup

Login Time : 11:18:13 EDT Fri Mar 22 2013

Duration : 0h:01m:12s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

Asa is on 9.11.4.

group policy:

group-policy NET_ADMIN internal

group-policy NET_ADMIN attributes

wins-server none

dns-server value 2.2.2.2

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-session-timeout alert-interval 25

vpn-filter value VPN_SPLIT_TUNNEL

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

password-storage disable

ip-comp enable

re-xauth disable

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_SPLIT_TUNNEL

default-domain value brightstarcorp.com

split-dns value brightstarcorp.com

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

client-bypass-protocol disable

gateway-fqdn value svgmelb.au.brightstarcorp.com

leap-bypass disable

nem disable

backup-servers clear-client-config

msie-proxy method no-modify

vlan none

nac-settings none

address-pools value SSL_POOL

ipv6-address-pools none

scep-forwarding-url none

client-firewall none

client-access-rule none

webvpn

url-list value NETADMIN_BOOKMARK

filter value INTERNAL_WEBACL

homepage use-smart-tunnel

anyconnect ssl dtls enable

anyconnect mtu 1406

anyconnect keep-installer installed

anyconnect ssl keepalive 20

anyconnect ssl rekey time none

anyconnect ssl rekey method none

anyconnect dpd-interval client 30

anyconnect dpd-interval gateway 30

anyconnect ssl compression lzs

anyconnect dtls compression lzs

anyconnect modules value posture

anyconnect profiles value net_admin_p type user

anyconnect ask none default webvpn

customization value NETADMIN_PORTAL

hidden-shares visible

activex-relay enable

file-entry enable

file-browsing enable

url-entry enable

deny-message value Login was successful, but because certain criteria have not been met, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.

anyconnect ssl df-bit-ignore disable

always-on-vpn profile-setting

auto-signon allow uri * auth-type all

Tunnel Group:

tunnel-group NET_ADMIN_G type remote-access

tunnel-group NET_ADMIN_G general-attributes

address-pool SSL_POOL

authentication-server-group LDAP

authorization-server-group LDAP

accounting-server-group RGROUPADMIN

default-group-policy NET_ADMIN

authorization-required

tunnel-group NET_ADMIN_G webvpn-attributes

customization NETADMIN_PORTAL

group-alias infra_network enable

group-url https://x.x.x.x/network enable

dns-group DNSGROUP

Any ideas?

Thanks in advance

Javier Portuguez · ‎03-21-2013

Hi

Please include "debug ldap 255" and "debug aaa common 255".

Thanks.

Portu.

mbsshoards · ‎03-21-2013

Hi Portu,

Heres debug Ldap:

SLVPN#

[553] Session Start

[553] New request Session, context 0x00007fff33beb228, reqType = Authentication

[553] Fiber started

[553] Creating LDAP context with uri=ldap://1.1.1.13:389

[553] Connect to LDAP server: ldap://1.1.1.13:389, status = Successful

[553] supportedLDAPVersion: value = 3

[553] supportedLDAPVersion: value = 2

[553] Binding as bind

[553] Performing Simple authentication for test to 1.1.1.13

[553] LDAP Search:

Base DN = [OU=xx ENTERPRISE,DC=xxx,DC=com]

Filter = [sAMAccountName=test]

Scope = [SUBTREE]

[553] User DN = [CN=test,OU=Users,OU=xx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com]

[553] Talking to Active Directory server 1.1.1.13

[553] Reading password policy for test, dn:CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com

[553] Read bad password count 0

[553] Binding as test

[553] Performing Simple authentication for test to 1.1.1.13

[553] Processing LDAP response for user test

[553] Message (test):

[553] Authentication successful for test to 1.1.1.13

[553] Retrieved User Attributes:

[553] objectClass: value = top

[553] objectClass: value = person

[553] objectClass: value = organizationalPerson

[553] objectClass: value = user

[553] cn: value = test

[553] sn: value =

[553] c: value = AU

[553] l: value = xxx

[553] st: value = xxx

[553] title: value = test user / IT

[553] description: value = Network

[553] postalCode: value = xxx

[553] physicalDeliveryOfficeName: value = xxx

[553] telephoneNumber: value = xxx

[553] givenName: value = test

[553] distinguishedName: value = CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=br

[553] instanceType: value = 4

[553] whenCreated: value = 20110327224420.0Z

[553] whenChanged: value = 20130319223953.0Z

[553] displayName: value = test

[553] uSNCreated: value = 84454809

[553] memberOf: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=

[553] mapped to IETF-Radius-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com

[553] mapped to LDAP-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com

[553] memberOf: value = CN=Networks,OU=Distribution Groups,OU=xxx,OU=Australia,OU=APAC,OU=

[553] mapped to IETF-Radius-Class: value = NET_ADMIN

[553] mapped to LDAP-Class: value = NET_ADMIN

[553] memberOf: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate

[553] mapped to IETF-Radius-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com

[553] mapped to LDAP-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com

aaa common debug:

AAA API: In aaa_open

AAA session opened: handle = 3

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LDAP)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 1.1.1.13

AAA FSM: In AAA_SendMsg

User: test

Resp:

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT

AAA_NextFunction: authen svr = BSTAR_LDAP, author svr = LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy

AAA_NextFunction: New i_fsm_state = IFSM_USER_GRP_POLICY,

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(NET_ADMIN)

Got server ID 0 for group policy DB

Initiating user group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: NET_ADMIN

Resp:

grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)

grp_policy_ioctl: Looking up NET_ADMIN

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

User Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_USER_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,

AAA FSM: In AAA_InitTransaction

Initiating authorization query (Svr Grp: LDAP)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 1.1.1.13

AAA FSM: In AAA_SendMsg

User: test

Resp:

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authorization Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT

AAA_NextFunction: author svr = BSTAR_LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy

AAA_NextFunction: New i_fsm_state = IFSM_AUTH_GRP_POLICY,

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(NET_ADMIN)

Got server ID 0 for group policy DB

Initiating authorization group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: NET_ADMIN

Resp:

grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)

grp_policy_ioctl: Looking up NET_ADMIN

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authorization Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_AUTH_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(DfltGrpPolicy)

Got server ID 0 for group policy DB

Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: DfltGrpPolicy

Resp:

grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)

grp_policy_ioctl: Looking up DfltGrpPolicy

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT

Class attribute created from LDAP-Class attribute

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

Checking simultaneous login restriction (max allowance=3) for user test

AAA FSM: In AAA_Callback

user attributes:

1 User-Name(1) 6 "test"

2 User-Password(2) 10 (hidden)

3 Group-Policy(4121) 9 "NET_ADMIN"

4 AAA-AVP-Table(4243) 11268 "[04],[00][00]t[00][00][00][F8][03][00][00][0F][04][00]"

5 LDAP-Class(20520) 10 "NET_ADMIN[00]"

6 LDAP-Class(20520) 11 "USERS[00]"

//..//

user policy attributes:

1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"

2 Session-Timeout(27) 4 0

3 Idle-Timeout(28) 4 30

4 Access-Hours(4097) 0 0x00007fff35d685e0 ** Unresolved Attribute **

5 Simultaneous-Logins(4098) 4 3

6 Primary-DNS(4101) 4 IP: 1.1.1.13

7 Secondary-DNS(4102) 4 IP: 1.1.1.30

8 Primary-WINS(4103) 4 IP: 0.0.0.0

9 Secondary-WINS(4104) 4 IP: 0.0.0.0

10 Tunnelling-Protocol(4107) 4 52

11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"

12 Store-PW(4112) 4 0

13 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"

14 Default-Domain-Name(4124) 18 "xxxxcorp.com"

15 Secondary-Domain-Name-List(4125) 18 "xxxxcorp.com"

16 Nat-Enabled-IPSec(4130) 4 0

17 IPSec-UDP-Port(4131) 4 10000

18 IPComp(4135) 4 1

19 Authentication-On-Rekey(4138) 4 0

20 Required-Firewall-Vendor-Code(4141) 0 0x0000000002e006b0 ** Unresolved Attribute **

21 Required-Firewall-Product-Code(4142) 0 0x0000000002e006b0 ** Unresolved Attribute **

22 Required-Firewall-Description(4143) 0 0x00007fff35d687fa ** Unresolved Attribute **

23 Secure-unit-config(4144) 4 0

24 Individual-user-auth-config(4145) 4 0

25 User-auth-idle-timeout(4146) 4 0

26 Cisco-IP-telephony-config(4147) 4 0

27 Split-Tunneling-Policy(4151) 4 1

28 Required-Firewall-Capability(4152) 0 0x0000000002e006b0 ** Unresolved Attribute **

29 Client Firewall Optional(4154) 0 0x0000000002e006b0 ** Unresolved Attribute **

30 Backup-Ip-Sec-Peers-Enabled(4155) 4 2

31 Network-Extension-Mode-Allowed(4160) 4 0

32 URL list name(4167) 17 "NETADMIN_BOOKMARK"

33 ACL-like filters(4169) 8 "INTERNAL_WEBACL"

34 Cisco-LEAP-Passthrough-config(4171) 4 0

35 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff35d68835 ** Unresolved Attribute **

36 IE-Proxy-Server-Method(4177) 4 1

37 The tunnel group that tunnel must be associated with(4181) 11 "NET_ADMIN_G"

38 User ACL for inbound traffic(4182) 8 ""

39 User ACL for outbound traffic(4183) 8 ""

40 Indicates whether or not PFS is required for IPSec(4184) 4 0

41 WebVPN URL Entry enable(4189) 4 1

42 WebVPN File Server Entry enable(4191) 4 1

43 WebVPN File Server Browsing enable(4192) 4 1

44 WebVPN SVC Keep enable(4201) 4 1

45 WebVPN SVC Keepalive interval(4203) 4 20

46 WebVPN SVC Client DPD period(4204) 4 30

47 WebVPN SVC Gateway DPD period(4205) 4 30

48 WebVPN SVC Rekey period(4206) 4 0

49 WebVPN SVC Rekey method(4207) 4 0

50 WebVPN SVC Compression(4208) 4 2

51 WebVPN Customization(4209) 15 "NETADMIN_PORTAL"

52 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"

53 WebVPN SVC DTLS Compression(4213) 4 2

54 Extended Authentication-On-Rekey(4218) 4 0

55 WebVPN SVC DTLS enable(4219) 4 1

56 WebVPN SVC MTU(4221) 4 1406

57 CIFS hidden shares(4222) 4 1

58 CVC-Modules(4223) 7 "posture"

59 CVC-Profile(4224) 17 "net_admin_p#user,"

60 CVC-Ask(4227) 4 4

61 CVC-Ask-Timeout(4228) 4 0

62 WebVPN ActiveX Relay(4233) 4 1

63 VLAN ID(4236) 4 0

64 NAC Settings(4237) 0 0x00007fff35d68985 ** Unresolved Attribute **

65 WebVPN Session timeout alert interval(4245) 4 25

66 List of address pools to assign addresses from(4313) 13 "SSL_POOL"

67 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff35d68998 ** Unresolved Attribute **

68 Smart tunnel on home page enable(4324) 4 1

69 Disable Always-On VPN(4325) 4 0

70 SVC ignore DF bit(4326) 4 0

71 Client Bypass Protocol(4331) 4 0

72 Gateway FQDN(4333) 29 "xxx.xxxxcorp.com"

73 CA URL for SCEP enrollment(20530) 0 0x00007fff35d689c7 ** Unresolved Attribute **

tunnel policy attributes:

1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"

2 Session-Timeout(27) 4 0

3 Idle-Timeout(28) 4 30

4 Access-Hours(4097) 0 0x00007fff351cddd0 ** Unresolved Attribute **

5 Simultaneous-Logins(4098) 4 0

6 Primary-DNS(4101) 4 IP: 10.125.3.7

7 Secondary-DNS(4102) 4 IP: 10.125.3.5

8 Primary-WINS(4103) 4 IP: 0.0.0.0

9 Secondary-WINS(4104) 4 IP: 0.0.0.0

10 Tunnelling-Protocol(4107) 4 124

11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"

12 Store-PW(4112) 4 0

13 Group-Policy(4121) 13 "DfltGrpPolicy"

14 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"

15 Default-Domain-Name(4124) 18 "xxxxcorp.com"

16 Secondary-Domain-Name-List(4125) 0 0x00007fff351cdfc7 ** Unresolved Attribute **

17 Nat-Enabled-IPSec(4130) 4 0

18 IPSec-UDP-Port(4131) 4 10000

19 IPComp(4135) 4 0

20 Authentication-On-Rekey(4138) 4 0

21 Secure-unit-config(4144) 4 0

22 Individual-user-auth-config(4145) 4 0

23 User-auth-idle-timeout(4146) 4 30

24 Cisco-IP-telephony-config(4147) 4 0

25 Split-Tunneling-Policy(4151) 4 1

26 Client Firewall Optional(4154) 0 0x00007fff351cdfec ** Unresolved Attribute **

27 Backup-Ip-Sec-Peers-Enabled(4155) 4 1

28 Group-giaddr(4157) 4 IP: 0.0.0.0

29 Intercept-DHCP-Configure-Msg(4158) 4 0

30 Client-Subnet-Mask(4159) 4 IP: 255.255.255.255

31 Network-Extension-Mode-Allowed(4160) 4 0

32 WebVPN Content Filter Parameters(4165) 4 0

33 WebVPN Parameters configuration(4166) 4 1

34 URL list name(4167) 0 0x00007fff351ce008 ** Unresolved Attribute **

35 Forwarded ports(4168) 0 0x00007fff351ce009 ** Unresolved Attribute **

36 ACL-like filters(4169) 8 "INTERNAL_WEBACL"

37 Cisco-LEAP-Passthrough-config(4171) 4 0

38 Default WebVPN homepage(4172) 0 0x00007fff351ce016 ** Unresolved Attribute **

39 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff351ce017 ** Unresolved Attribute **

40 Application Access Name(4175) 18 "Application Access"

41 IE-Proxy-Server(4176) 0 0x00007fff351ce02b ** Unresolved Attribute **

42 IE-Proxy-Server-Method(4177) 4 1

43 IE-Proxy-Server-Exceptions(4178) 0 0x00007fff351ce030 ** Unresolved Attribute **

44 IE-Proxy-Server-Bypass-Local(4179) 4 0

45 The tunnel group that tunnel must be associated with(4181) 0 0x00007fff351ce035 ** Unresolved Attribute **

46 Indicates whether or not PFS is required for IPSec(4184) 4 0

47 NAC Enable/Disable(4185) 4 0

48 NAC Status Query Timer(4186) 4 300

49 NAC Revalidation Timer(4187) 4 36000

50 NAC Default ACL(4188) 8 ""

51 WebVPN URL Entry enable(4189) 4 0

52 WebVPN File Server Entry enable(4191) 4 0

53 WebVPN File Server Browsing enable(4192) 4 0

54 WebVPN Port Forwarding enable(4193) 4 0

55 WebVPN Port Forwarding Exchange Proxy enable(4194) 4 0

56 WebVPN Port Forwarding HTTP Proxy enable(4195) 4 0

57 WebVPN SVC enable(4199) 4 0

58 WebVPN SVC Required enable(4200) 4 0

59 WebVPN SVC Keep enable(4201) 4 0

60 WebVPN SVC Keepalive interval(4203) 4 20

61 WebVPN SVC Client DPD period(4204) 4 30

62 WebVPN SVC Gateway DPD period(4205) 4 30

63 WebVPN SVC Rekey period(4206) 4 0

64 WebVPN SVC Rekey method(4207) 4 0

65 WebVPN SVC Compression(4208) 4 2

66 WebVPN Customization(4209) 0 0x00007fff351ce08a ** Unresolved Attribute **

67 Single Sign On Server Name(4210) 0 0x00007fff351ce08b ** Unresolved Attribute **

68 WebVPN SVC Firewall Rule(4211) 17 "private#,public#,"

69 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"

70 WebVPN SVC DTLS Compression(4213) 4 2

71 HTTP compression method(4216) 4 0

72 Maximum object size to ignore for updating the session timer(4217) 4 4

73 Extended Authentication-On-Rekey(4218) 4 0

74 WebVPN SVC DTLS enable(4219) 4 1

75 WebVPN SVC MTU(4221) 4 1406

76 CIFS hidden shares(4222) 4 0

77 CVC-Modules(4223) 20 "dart,vpngina,posture"

78 CVC-Profile(4224) 15 "IPSEC_VPN#user,"

79 CVC-IKE-Retry-Timeout(4225) 4 10

80 CVC-IKE-Retry-Count(4226) 4 3

81 CVC-Ask(4227) 4 2

82 CVC-Ask-Timeout(4228) 4 0

83 IE-Proxy-Pac-URL(4229) 0 0x00007fff351ce1a4 ** Unresolved Attribute **

84 IE-Proxy-Lockdown(4230) 4 1

85 WebVPN Smart Tunnel(4232) 0 0x00007fff351ce1a9 ** Unresolved Attribute **

86 WebVPN ActiveX Relay(4233) 4 1

87 WebVPN Smart Tunnel Auto Download enable(4234) 4 0

88 WebVPN Smart Tunnel Auto Sign On enable(4235) 0 0x00007fff351ce1b2 ** Unresolved Attribute **

89 VLAN ID(4236) 4 0

90 NAC Settings(4237) 0 0x00007fff351ce1b7 ** Unresolved Attribute **

91 MemberOf(4241) 0 0x00007fff351ce1b8 ** Unresolved Attribute **

92 WebVPN Idle timeout alert interval(4244) 4 1

93 WebVPN Session timeout alert interval(4245) 4 1

94 Maximum object size for download(4253) 4 2147483647

95 Maximum object size for upload(4254) 4 2147483647

96 Maximum object size for post(4255) 4 2147483647

97 User storage(4256) 0 0x00007fff351ce1cd ** Unresolved Attribute **

98 User storage objects(4257) 19 "cookies,credentials"

99 User storage shared key(4258) 0 0x00007fff351ce1e2 ** Unresolved Attribute **

100 VDI configuration(4259) 0 0x00007fff351ce1e3 ** Unresolved Attribute **

101 NAC Exception List(4312) 4 0

102 List of address pools to assign addresses from(4313) 0 0x00007fff351ce1e8 ** Unresolved Attribute **

103 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff351ce1e9 ** Unresolved Attribute **

104 IPv6 filter-id(4315) 8 ""

105 WebVPN Unix user ID(4317) 4 65534

106 WebVPN Unix group ID(4318) 4 65534

107 Disconnect VPN tunnel when a Smartcard is removed(4321) 4 1

108 WebVPN Smart Tunnel Tunnel Policy(4323) 0 0x00007fff351ce1fe ** Unresolved Attribute **

109 Disable Always-On VPN(4325) 4 1

110 SVC ignore DF bit(4326) 4 0

111 SVC client routing/filtering ignore(4327) 4 0

112 Configure the behaviour of DNS queries by the client when Split tunneling is enabled(4328) 4 0

113 Client Bypass Protocol(4331) 4 0

114 IPv6-Split-Tunneling-Policy(4332) 4 0

115 Gateway FQDN(4333) 0 0x00007fff351ce217 ** Unresolved Attribute **

116 CA URL for SCEP enrollment(20530) 0 0x00007fff351ce218 ** Unresolved Attribute **

Auth Status = ACCEPT

AAA API: In aaa_close

AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 3

In aaai_close_session (3)

Thanks,

Javier Portuguez · ‎03-21-2013

I just checked the configuration and problem description and I read something different this time.

From your post:

4-this all should be done without the user needing to select a group the vpn portal

This is not going to be possible unless any of the following feature is used:

1- Group-url

2- Group-alias

3- Certificate authentication + certificate mapping

If any of the above is not used, then there is no way to hit any other tunnel-group than the default one.

So, you need to make a decision and pick up one of those.

HTH.

Portu.

mbsshoards · ‎03-24-2013

Hi Portu,

So basically there's no way we can use LDAP authetication to dynamically force the user to use a specific tunnel and this can only be done with group-policy?

thanks

Javier Portuguez · ‎03-26-2013

Hi Mahdi,

Yes, that is correct.

Thanks.

Please do not forget to rate any helpful posts and mark this post as answered.

AkshaySharma92515 · ‎06-24-2020

Hi Javier,

Same issue i am facing, kindly advice from below Logs:-

[7381] Session Start
[7381] New request Session, context 0x00007f29b06850c0, reqType = Authentication
[7381] Fiber started
[7381] Creating LDAP context with uri=ldap://xxx.xx.xx.xxx:xxx
[7381] Connect to LDAP server: ldap://xxx.xx.xx.xxx:xxx, status = Successful
[7381] supportedLDAPVersion: value = 3
[7381] supportedLDAPVersion: value = 2
[7381] Binding as xxxx@xyx.com
[7381] Performing Simple authentication for xxxx@xyx.com to xxx.xx.xx.xxx:xxx
[7381] LDAP Search:
Base DN = [DC=xxxxxx,DC=com]
Filter = [sAMAccountName=xxxxadmin]
Scope = [SUBTREE]
[7381] User DN = [CN=xxxxxx - Admin,OU=IT Administrators,DC=xxxxxx,DC=com]
[7381] Talking to Active Directory server xxx.xx.xx.xxx:xxx
[7381] Reading password policy for xxxxadmin, dn:CN=xxxxxxx - Admin,OU=IT Administrators,DC=xxxxxxxxxx,DC=com
[7381] Read bad password count 0
[7381] Binding as xxxxxxxxxx
[7381] Performing Simple authentication for xxxxadmin to xx.xx.xx.xxx
[7381] Processing LDAP response for user xxxxxadmin
[7381] Message (xxxxxxxxxx):
[7381] Authentication successful for xxxxxxxxxx to xx.xx.xx.xxx
[7381] Retrieved User Attributes:
[7381] objectClass: value = top
[7381] objectClass: value = person
[7381] objectClass: value = organizationalPerson
[7381] objectClass: value = user
[7381] cn: value = xxxxxxxxxx - Admin
[7381] sn: value = Mohd
[7381] description: value = xxxxxxxxxx - Domain Admin
[7381] userCertificate: value = 0...0..........7...]Z.P.|.`:.....]0...*.H........0U1.0.....&...,d....com1.0.....
[7381] userCertificate: value = 0...0..........7...\r............\0...*.H........0U1.0.....&...,d....com1.0.....
[7381] userCertificate: value = 0...0..........7...[,.R...T......[0...*.H........0U1.0.....&...,d....com1.0.....
[7381] userCertificate: value = 0...0..........7...W8@>..........W0...*.H........0U1.0.....&...,d....com1.0.....
[7381] givenName: value = Maitham
[7381] distinguishedName: value = CN=xxxxxxxxxx - Admin,OU=IT Administrators,DC=xxxxxxxxxx,DC=com
[7381] instanceType: value = 4
[7381] whenCreated: value = 20161208053848.0Z
[7381] whenChanged: value = 20200618055626.0Z
[7381] displayName: value = xxxxxxxxxx - Domain Admin
[7381] uSNCreated: value = 26223
[7381] memberOf: value = CN=Splunk Admins,OU=BHB Groups,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=WSAdmin,CN=Builtin,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=Helpdesk,CN=Users,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=Remote Desktop Users,CN=Builtin,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=Domain Admins,CN=Users,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=Administrators,CN=Builtin,DC=xxxxxxxxxx,DC=com
[7381] memberOf: value = CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=xxxxxxxxxx,DC
[7381] uSNChanged: value = 45324626
[7381] name: value = xxxxxxxxxx - Admin
[7381] objectGUID: value = ..qc1..N........
[7381] userAccountControl: value = 512
[7381] badPwdCount: value = 0
[7381] codePage: value = 0
[7381] countryCode: value = 0
[7381] badPasswordTime: value = 132365994235248758
[7381] lastLogoff: value = 0
[7381] lastLogon: value = 132374522322484840
[7381] scriptPath: value = itdfs.bat
[7381] pwdLastSet: value = 132369333859691240
[7381] primaryGroupID: value = 513
[7381] objectSid: value = ..............P....E...<....
[7381] adminCount: value = 1
[7381] accountExpires: value = 9223372036854775807
[7381] logonCount: value = 8617
[7381] sAMAccountName: value = xxxxxxxxxx
[7381] sAMAccountType: value = 805306368
[7381] userPrincipalName: value = xxxxxxxxxx@xxxxxxxxxx.com
[7381] lockoutTime: value = 0
[7381] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxxxxxxxxx,DC=com
[7381] dSCorePropagationData: value = 20200624130212.0Z
[7381] dSCorePropagationData: value = 20200624120212.0Z
[7381] dSCorePropagationData: value = 20200624110212.0Z
[7381] dSCorePropagationData: value = 20200624100212.0Z
[7381] dSCorePropagationData: value = 16010101000000.0Z
[7381] lastLogonTimestamp: value = 132368950203626481
[7381] Fiber exit Tx=584 bytes Rx=9698 bytes, status=1
[7381] Session End