Solved: LDAP Attribute Wildcard - IPSEC not WebVPN

boscom · ‎11-10-2008

Hi,

I have setup authentication using LDAP and it is working fine.

I am trying to restrict only users that are member of a particular Security group (VPN Users) to be able to VPN in.

I have created an LDAP attribute map (vpnmap) that checks if the user is a member of the required Security Group and if correct assigns a group policy (XXXvpntunnel) to it.

However, if a user is not a member of the group, the ldap attribute map does not assign the above group policy to it, but the user can still VPN in and when I do a check of the group policy being used via sh vpn-sessiondb detail remote, it shows me the same group policy XXXvpntunnel being used.

I have created another group policy called XXXvpntunneldeny with ipsec sessions set to 0, but how do I assign this group profile to users who are not a memberOf VPN Users, so that they cannot VPN in?

I have also tested by adding SamAccountname in the attribute map and value "Administrator" and group-policy "xxxvpntunneldeny" and it stops Administrator from getting in via VPN, but I want to be able to use a wildcard to prevent all users not in the Security Group VPN Users from connecting via VPN.

Any suggestions on the best way to restrict users not part of the VPN Users group in AD from being able to VPN in?

Thank you.

srue · ‎11-19-2008

here's a good link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

change the default group-policy to vpn-simultaneous-logins 0

apply a specific vpn-simultaneous-logins to the new group-policy.

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

group-policy POLICY attributes

vpn-simultaneous-logins 10

i was able to get this working.

forget about mapping to the dialin permissions. not needed here.

if someone doesn't get mapped to one of your manually created group-policies, only the default group policy applies, and they can't log in.

View solution in original post

hadbou · ‎11-15-2008

When a user authenticates to the security appliance, the security appliance, in turn, authenticates to the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the admin who updates the user records.

Refer the following url for more information on Active Directory Policies Using LDAP Attribute Maps:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/extsvr.html#wp1583169

srue · ‎11-18-2008

in their AD account settings set their dial in permissions to not allowed.

then under your ldap attribute map, add something like:

map-value msNPAllowDialin "FALSE" NOACCESS

and then:

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

or use your own group-policy name.

boscom · ‎11-18-2008

Thanks for the reply, srue.

I tried this but for some reason, but it was not checking for this attribute.

I had debug ldap 255 running but could not see any matches to msNPAllowDialin. Maybe I did not configure the attribute map correctly.

I have created a new AD group called VPN Deny and added users that I do not have VPN access to this group.

I then check the memberOf "VPN Deny" attribute and assign them to a group-policy that has vpn-simulataneous logins as 0.

The only problem with this, is all users that need to be prevented from using VPN access needs to added to the VPN Denu User group.

hadbou has sent me a couple of links, the first of which is more detailed on LDAP attribute mapping, which I will go through and try a better solution including mapping to msNPAllowDialin and see whcih works best.

Regards.

boscom · ‎11-18-2008

Hi Hadbou.

Thanks for the reply and the links. The first one is quite detailed and I will use it to refine what I have done as indicated below.

I have created a new AD group called VPN Deny and added users that I do not have VPN access to this group.

I then check the memberOf "VPN Deny" attribute and assign them to a group-policy that has vpn-simulataneous logins as 0.

Will work on checking alternate attribute values as per the link you sent.

Regards.

srue · ‎11-19-2008

here's a good link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

change the default group-policy to vpn-simultaneous-logins 0

apply a specific vpn-simultaneous-logins to the new group-policy.

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

group-policy POLICY attributes

vpn-simultaneous-logins 10

i was able to get this working.

forget about mapping to the dialin permissions. not needed here.

if someone doesn't get mapped to one of your manually created group-policies, only the default group policy applies, and they can't log in.

boscom · ‎11-19-2008

This was the issue I was having in the first place.

People not getting mapped to xxxvpntunnel via the ldap attribute map, we still able to login using xxxvpntunnel group policy.

When I set the default policy to vpn-simultaneous-logins 0, I could not get in even if the ldap attribute mapped me to xxxvpntunnel.

I think I have got the group and default policies all interconnected. Will clear the config and re-start and am sure it will work.

Thank you.