cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10818
Views
10
Helpful
3
Replies

ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

jstevensunico
Level 1
Level 1

Hi All,

I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.

The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.

There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.

The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.

I can only do an all or nothing scenario.

It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.

Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.

Scenario 2 would be an ideal longer term solution.

Any thoughts, ideas or assitance would be greatly appreciated.

Cheers

3 Replies 3

Nelson Rodrigues
Cisco Employee
Cisco Employee

PLease checkout the DAP deployment guide https://supportforums.cisco.com/docs/DOC-1369.

So each VPN session will come in on a specific Connection Profile (aka Tunnel Group - TG ) , with each TG having a default group-policy, GP. The GP contains the authorization attributes to apply to the session. DAP is a specialized Group Policy, but currently cannot set all attributes that the legacy GP does. DAP allows aggregation of authorization attributes , which the GP doesn't.

So for your case:

1) Connection ProfileX , Group-Policy X, 1 or more DAP(s) that check for ldap attribute.memberOf=CarpetBaggers

Set the Action=Continue

Note: LDAP attributes are case sensitive, so make sure memberOf    has capital O.

2) Set the DfltAccessPolicy DAP for Action=Terminate

3) Set you Connection Profile for LDAp authentication

4) on you console you can see the DAp processing by "debug dap trace".

HTH,

Nelson

This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:

assert(function()
   if ( (type(aaa.ldap.distinguishedName) == "string") and
        (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
       return true
   end
   return false
end)()

from the debug dap you can see what Users relates to;

DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com

My admin account fails to get me in to the same profile:

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"

Thanks

Andrew

Hi all,

i will get back to that post since there is something else that i would like to ask.

I have configured DAP policies and also user access lists(with the AD client installed).

But, what if you want the below scenario:

Apply policies between source AND destinations AD Groups.

Let the following 3 groups exist in the AD: sales, presales, accounting,

i want webvpn users to have the following policies:

sales<-> sales : allow

presales<->presales: allow

sales<->presales: allow

sales<->accounting deny

presales<->accounting deny

accounting<->accounting allow

Keep in mind that i don't want to keep and maintain different client pools for each group.

I want to be dynamic.

it would be great if i could use user based ACLs with source and destination users or/and groups.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: