Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12858
Views
5
Helpful
9
Replies

VPN Group Policy Problem

hnbbank01
Level 1
Level 1

‎02-15-2011 11:31 AM

I’m trying to get IPSec VPN working with LDAP authentication but I can't figure out why my Group Policy is not working correctly.  When my user authenticates, it looks like the correct ALLOWACCESS policy is being applied but then the NOACCESS policy is applied right after it and the user is denied access.


Here's my config

ldap attribute-map NNTest
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAP_SRV_GROUP protocol ldap
aaa-server LDAP_SRV_GROUP (LAN) host xxx.xxx.xxx.xxxx
ldap-base-dn dc=xxx, dc=xxx, dc=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=xxx, cn=xxx, dc=xxx, dc=xxx, dc=xxx
server-type microsoft
ldap-attribute-map NNTest

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec

group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value *
address-pools value mypool

tunnel-group NNTest type remote-access
tunnel-group NNTest general-attributes
address-pool mypool
authentication-server-group LDAP_SRV_GROUP
default-group-policy NOACCESS
tunnel-group NNTest ipsec-attributes
pre-shared-key *

Here's what I see in my ASDM logs

Feb 15 2011 14:19:56 113004    AAA user authentication Successful : server =  xxx.xxx.xxx.xxx : user = user
Feb 15 2011 14:19:56 113003    AAA group policy for user user is being set to ALLOWACCESS
Feb 15 2011 14:19:56 113011    AAA retrieved user specific group policy (ALLOWACCESS) for user = user
Feb 15 2011 14:19:56 113009    AAA retrieved default group policy (NOACCESS) for user = user
Feb 15 2011 14:19:56 113013    AAA unable to complete the request Error : reason = Simultaneous logins exceeded for user : user = user
Feb 15 2011 14:19:56 713905    Group = NNTest, Username = user, IP = xxx.xxx.xxx.xxx, Login authentication failed due to max simultaneous-login restriction.

Any help would be appreciated.

Labels:
0 Helpful
9 Replies 9

Yudong Wu
Level 7
Level 7

‎02-15-2011 01:43 PM

please run "debug ldap 255" to see why it was mapped to wrong group.

0 Helpful

andamani
Cisco Employee
Cisco Employee

‎02-15-2011 05:34 PM

Hi,

The problem lies in the following configuration:

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0

Please change the vpn-simultaneous-logins to 1 and test and see.

The following link gives you the details of the command vpn-simultaneous-logins

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1631556

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

0 Helpful

hnbbank01
Level 1
Level 1
In response to andamani

‎02-16-2011 06:38 AM

The debug shows the correct group policy being applied.

[180]   msNPAllowDialin: value = TRUE
[180]           mapped to IETF-Radius-Class: value = ALLOWACCESS
[180]           mapped to LDAP-Class: value = ALLOWACCESS

Anisha, they way I understand it, I need the "vpn-simultaneous-logins 0" so that the VPN connection is denied if the user does not have the proper Active Directory setting.  I.E., if msNPAllowDialin is anything but TRUE, then they should have the NOACCESS group policy applied thus denying the VPN connection.  If I change it to "vpn-simultaneous-logins 1", the VPN will be connected even though it is applying the NOACCESS group policy (as the default policy for the tunnel group NNTest).  Please let me know if I am incorrect.

Thanks.

0 Helpful

Yudong Wu
Level 7
Level 7
In response to hnbbank01

‎02-16-2011 08:14 AM

Could you please post the full output of "debug ldap 255" and the running configuration?

0 Helpful

hnbbank01
Level 1
Level 1
In response to Yudong Wu

‎02-16-2011 01:07 PM

FYI, I was able to finally discover why this wasn't working.  My ALLOWACCESS group policy was inheriting the vpn-simultaneous-logins setting from the DfltGrpPolicy.  The ALLOWACCESS group policy had to be explicitly configured with a vpn-simultaneous-logins value different from the one on the default group  policy.  I changed it to vpn-simultaneous-logins 4 and it's now working.  Doesn't make much sense to me but it works.

Thanks to everyone who helped out.  I appreciate you taking the time and your fast responses.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to hnbbank01

‎02-17-2011 05:03 AM

Hi,

The command vpn-simulateous-login is used permit  the number of sessions allowed per user. If you make this 1 only one  session will be permitted and users will be connected. But if you make  this as 0, no user will be able to connect.

The  group-mapping will kick in later, hence giving you access to required  resources based on group-policy.

the attributes or policies which  will be inherited is defined in the group-policy but before that you  need to have connect, for which you need to have simultaneous login set  to 1 minimum.

Hope this helps.

Regards,

Anisha

-  do rate helpful posts and mark the thread as answered if you feel your  query is answered.

0 Helpful

hnbbank01
Level 1
Level 1

‎02-16-2011 01:09 PM

FYI, I was able to finally  discover why this wasn't working.  My ALLOWACCESS group policy was  inheriting the vpn-simultaneous-logins setting from the DfltGrpPolicy.   The ALLOWACCESS group policy had to be explicitly configured with a  vpn-simultaneous-logins value different from the one on the default  group  policy.  I changed it to vpn-simultaneous-logins 4 and it's now  working.  Doesn't make much sense to me but it works.

Thanks to everyone who helped out.  I appreciate you taking the time and your fast responses.

andamani
Cisco Employee
Cisco Employee
In response to hnbbank01

‎02-17-2011 05:05 AM

hi,

Also from the logs the correct error to be looked and worried about is:

Feb 15 2011 14:19:56 113013    AAA unable to complete the request Error :  reason = Simultaneous logins exceeded for user : user = user

The log clearly states that login permitted has exceded, hence unable to complete the request.

Hope this helps.

Regards,

Anisha

- do rate helpful posts.

0 Helpful

kasper123
Level 4
Level 4
In response to hnbbank01

‎04-03-2017 02:54 PM

I had the exact same problem and your post was exactly on point.

It makes no sense that you would have to change the vpn-simultaneous-logins value that is being inherited but changing it to something (bigger than 0) really fixes the issue. 

If you would not be using a NOACCESS policy than leaving the default setting for vpn-simultaneous-logins in the policy allows the connection to be established but if you are using a separate NOACCESS policy then that default value causes the connection to use the NOACCESS policy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents