04-11-2011 06:36 AM
Hello,
I'm trying to setup a VPN SSL on an asa running V8.2-4 using ldap authentication and this is the problem I'm having:
if the user is a specified group the correct policy is applyed and everything works fine but,
if the user is not in any group the user gets access to the internal network....
How can I disable access to the network if the user is not in an allowed group?
thanks in advance and regards
Giovanni
04-11-2011 07:16 AM
Hi,
Please make the default DAP Policy Action is set to deny access instead of continue.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-11-2011 07:47 AM
Hi,
thanks for your answer unfortunatly it did not work because if I set action teminate to the default DAP nobody is able to access the vpn amy more...
this are my settings:
ldap attribute-map TESTMAP
map-name memberOf Group-Policy
map-value memberOf CN=!VEN_VPN_SSL_Sparrow,OU=VEN_Common_Group,OU=Venaria,OU=ITALY,DC=mmemea,DC=marelliad,DC=net ExamplePolicy2
map-value memberOf CN=G-Users-MM-VPN-SSL-Enabled,CN=Users,DC=mmemea,DC=marelliad,DC=net MMUserPolicy
dynamic-access-policy-record DfltAccessPolicy
webvpn
port-forward disable
file-browsing disable
file-entry disable
http-proxy disable
url-entry disable
In this case if the user is in !VEN_VPN_SSL_Sparrow then it's associated the ExamplePolicy2
if it is in the other group it gets the MMUserPolicy
but if it is not in any of these two groups he gets full access to the network!
If I set action terminate to dynamic-access-policy-record DfltAccessPolicy then nobody can login.
Thanks again for your help
Giovanni
04-11-2011 11:22 AM
Hi,
The above configuration will only ensure that the correct group-policy is pushed to the user belonging to the group in AD.
But that will not restrict the access. you will have to configure DAP inorder restrict the access. I see you havce only a default DAP configures. You will have a add a few more and deny the default DAP.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide