Solved: Hello Amdhage!

marcio.tormente · ‎03-24-2016

hello folks,

I would like to configure my vpn to recognize and allow to connect to the VPN only if the machine is member of domain (AD).

It is possible?

How can I do it?

Obs: My VPN have a DAP configured to recognize member of group in the AD (users)

Thanks

Marcio

William Quintero Zuniga · ‎03-24-2016

Hi Marcio,

I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.

DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance.

Hope this helps.

View solution in original post

marcio.tormente · ‎08-04-2016

Hello Amdhage!

I solve this problem with DAP as you mantion, this work fine.

I don´t have MAC in my client, for this reason, I din´t have to worry about.

Thanks for your support.

View solution in original post

William Quintero Zuniga · ‎03-24-2016

Hi Marco,

I'm unsure if when you say member of an AD domain you mean member of a specific security group in AD. If this is the case then yes this is possible, this can be done with LDAP attribute mapping on the ASA, this can also be done with Radius mapping however this needs to be done on the server not the ASA when using Radius. You can also do something similar with certificate mapping. DAP can also be used together with it and continue to assign the attributes that you are assigning depending on what you are matching on the DAP.

Here are a few links for the mapping methods I mentioned before:

ASA Use of LDAP Attribute Maps Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Loginhttp://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre-Fill Configuration Guide http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

Configure ACS to Assign a Group Policy at Login using RADIUS http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/98608-radius-assign-group-policy.html

Hope this helps.

marcio.tormente · ‎03-24-2016

Hello William,

Thanks for your support

The DAP that is configured is to use LDAP and the people only can authenticate if they are member of a group, this works very well.

Now my customer want provide VPN only if the computer is registered on the domain controller, in other word, if the person want to use VPN in theys personal computer, will be not possible, then I need to make sure tht, when this person try to connect to the VPN is chek if they computer is registered on the AD.

Thanks

William Quintero Zuniga · ‎03-24-2016

Hi Marcio,

I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.

DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance.

Hope this helps.

marcio.tormente · ‎03-24-2016

Thanks William,

Open a TAC case I think is the best option.

amdhage · ‎08-04-2016

Hello marcio.tormente,

I am going through a similar kind of configuration dead end. However, I was able to resolve the issue as far Windows users are concern.

I have created a "registry" DAP policy pointing to the Domain Name configured in the endpoint and applied it. The tests are positive.

On the Windows endpoints the registry entry can be found at:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain"

Now I am looking for a similar kind of configuration for the MacOS users.

Hope this helps.

Thank You & Regards,

Ameya Dhage

marcio.tormente · ‎08-04-2016

Hello Amdhage!

I solve this problem with DAP as you mantion, this work fine.

I don´t have MAC in my client, for this reason, I din´t have to worry about.

Thanks for your support.

shehreyar · ‎05-04-2020

Hi,

I have the same requirements, could you please share the configuration details or any guide, currently I am using DAP with Ldap query to AD for user verification and now additionally I need to verify the domain PC.

VPN anyconnect with machine in the domain