cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
0
Helpful
3
Replies

VPN SSL and LDAP authentication

gbruna
Level 1
Level 1

Hello,

I'm trying to setup a VPN SSL on an asa running V8.2-4 using ldap authentication and this is the problem I'm having:

if the user is a specified group the correct policy is applyed and everything works fine but,

if the user is not in any group the user gets access to the internal network....

How can I disable access to the network if the user is not in an allowed group?

thanks in advance and regards

Giovanni

3 Replies 3

andamani
Cisco Employee
Cisco Employee

Hi,

Please make the default DAP Policy Action is set to deny access instead of continue.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi,

thanks for your answer unfortunatly it did not work because if I set action teminate to the default DAP nobody is able to access the vpn amy more...

this are my settings:

ldap attribute-map TESTMAP
  map-name  memberOf Group-Policy
  map-value memberOf CN=!VEN_VPN_SSL_Sparrow,OU=VEN_Common_Group,OU=Venaria,OU=ITALY,DC=mmemea,DC=marelliad,DC=net ExamplePolicy2
  map-value memberOf CN=G-Users-MM-VPN-SSL-Enabled,CN=Users,DC=mmemea,DC=marelliad,DC=net MMUserPolicy
dynamic-access-policy-record DfltAccessPolicy
webvpn
  port-forward disable
  file-browsing disable
  file-entry disable
  http-proxy disable
  url-entry disable

In this case if the user is in !VEN_VPN_SSL_Sparrow then it's associated the ExamplePolicy2
if it is in the other group it gets the MMUserPolicy
but if it is not in any of these two groups he gets full access to the network!

If I set action terminate to dynamic-access-policy-record DfltAccessPolicy then nobody can login.

Thanks again for your help

Giovanni

Hi,

The above configuration will only ensure that the correct group-policy is pushed to the user belonging to the group in AD.

But that will not restrict the access. you will have to configure DAP inorder restrict the access. I see you havce only a default DAP configures. You will have a add a few more and deny the default DAP.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.