Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2456
Views
0
Helpful
5
Replies

Tunnel Group - Group policy mapping understanding

Sk391
Level 1
Level 1

‎07-09-2019 02:34 PM

Hi all, 

 

I'm doing some reading but thought I'd post here too. I'm after a high level overview and then some details on how to get up SSL VPN setup for users on a ASA. 

 

I've done some of the config already.  The trustpoint , the certificate request and imported the signed certificate back in succesfully.  I've enable SSL on the outside interface so I think I'm ready for the main part of the config now but wanted to understand more and plan properly before tackling it. 

 

The certificate is  https://test123.com for example 

 

Within the company there are two departments, D1 and D2.   Both use the same Anyconnect config in terms of the URL they are connecting to but have only one difference,  D2 uses spilt tunnelling, D1 tunnels everything back.  I need some help on how to achieve this.   Both departments uses the same AD structure. 

 

I've waiting for some info back from the AD team but it appears that the users are spread all over the AD tree so I can't filter it on the OU ( i don't think )  

 

Maybe D2 users have been assigned to a security group or other AD group ( I'm waiting for the AD team ), can I filter on that?  

 

So from my understanding I will need to 

 

1) create an aaa-server with the AD details in and a service account able to search AD, so that I can authenticate my users.  This is will also return certain AD attributes .  Do I get to see these anywhere and how do I map these, are these mapped to the tunnel group or to the group policy ?? Need some help here please. 

 

2) Create the tunnel group - I think I will only need one tunnel group - since both departments will be using the same URL, I don't want to use a drop down list and I haven't really looked at individual certificates on the devices yet.  Could I do it from other parameters such as laptop name , I believe D2 laptops start with 'L' where as D1 start with 'M' - is this possible ?

 

3) Create a group policy - map it to the tunnel group - it's here that the spilt tunnelling is also configured.  

 

My main confusion and question is related to how I query the AD and what attributes I can match and how to apply different tunnel groups or group policies based on what is returned.  For example if OU- D1 is returned apply D1 Group policy - with no spilt tunnelling , if OU- D2 is returned then apply spilt tunnelling. 

 

Can anyone help me please. 

 

Many thanks 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-10-2019 01:24 AM

Hi,
I assume you are using Username/Password for authentication rather certificates. In which case on your RADIUS server create multiple authorization rules, matching on AD group that the user is a member of, if matched return the attribute

Class = ou=<GROUP-POLICY-NAME>

Obviously <GROUP-POLICY-NAME> matches exactly the group policy defined on the ASA. The different Group Policies would be configured with different settings for split tunnel etc.

HTH
0 Helpful

Sk391
Level 1
Level 1
In response to Rob Ingram

‎07-10-2019 01:31 AM

Hi,

 

Yes, I'm using username / password for authentication - Windows Active Directory. 

 

How and where do I do the mapping so that I can map the returned OU ( from AD ) to the Group Policy. 

 

So if OU = D1 then apply the D1 policy 

if OU = D2 then apply D2 policy 

 

where on the ASA is this done from please ?  Does anyone have an example to help my understanding ? 

 

Many thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to Sk391

‎07-10-2019 01:49 AM

This configuration is applied on the RADIUS server, I assume you are using Windows NPS?

You are authenticating using the Users username not the computers' user account, so you can't match on the laptops OU.

You would match on the AD group that the user is a member of. As part of the NPS policy you would define the radius attribute "Class" this defines a value "ou=POLICY" this is returned to the users session and the ASA Group Policy as specified is applied to the session.

E.g.-

Class = ou=D1_POLICY or Class = ou=D2_POLICY

The only configuration required on the ASA is the different Group Policies, it's the RADIUS servers' job to determine which GP to apply to which session.
0 Helpful

Sk391
Level 1
Level 1
In response to Rob Ingram

‎07-10-2019 02:10 AM

Okay, so the ASA would send the request to the RADIUS server i.e ICE or ACE which would return the groups.  I was under the impression that the ASA would request the groups directly from the AD servers.  

0 Helpful

Rob Ingram
VIP
VIP
In response to Sk391

‎07-10-2019 02:18 AM

If you are using RADIUS authentication then the ASA sends the authentication request to the RADIUS server (NPS/ISE/ACS or whatever you are using) which then authenticates the users (querying AD if required) and in addition can send back radius attributes, which can be applied on the ASA. E.g:- apply group-policy, DACL, DHCP Pool etc.

ASA would query AD directly if you were using LDAP(s).
0 Helpful
Customers Also Viewed These Support Documents