cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4908
Views
0
Helpful
12
Replies

ASA 8.2.x and SSL or AnyConnect VPN with IAS auth group control

tobyhouser
Level 1
Level 1

I've searched all through the forum looking for a config example, but haven't found one yet.

Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN?  We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.  For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.

How is this done, preferably with just Windows IAS (RADIUS) and built in ASA SSL VPN and AnyConnect controls.

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

You can use LDAP attribute mapping if you use AD to map user to specific group-policy:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Hope that helps.

I have the LDAP working and have tried assigning a mapping to a group policy per this guide -->http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

However, some of the commands seem different in 8.2.x. Specifically, the IETF-Radius-Class attribute didn't show up as a drop-down option in the ASDM, although I was able to add it via the CLI. So, I think I have the mapping created correctly, but it doesn't look like the ASA is using it. I have setup two LDAP attibutes, one for CN=HRUsers, and one for CN=DenyGroup to use for testing. I have a user in my LDAP that I have moved between those two groups, but regardless of which group I put him in the LDAP server, he still gets authenticated and inherits the HRUsers policy.

According to the guide ... I should see something like this:

[105] memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com

[105] mapped to IETF-Radius-Class: value = ExamplePolicy1

But I only see the first line ... not the "Mapped to" section that follows it. Could it be that the example uses IETF-Radius-Class but I'm not using RADIUS? I'm using LDAP since it's authenticating against an Active Directory server.

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please advise if the LDAP tree path is correct? "CN=DenyGroup,OU=VPN  Users,DC=vpn,DC=com"

If you do "debug ldap 255" and you would be able to see if the user is correctly falling under the correct path, and for LDAP attribute map to work, it needs to match exactly.

How do you know it is still falling under the HR policy? Once user is connected, can you do "show vpn-sessiondb remote filter name "

Yes, the memberof group is showed correctly in the debug:

[54258] Retrieved User Attributes:
[54258]         objectClass: value = top
[54258]         objectClass: value = person
[54258]         objectClass: value = organizationalPerson
[54258]         objectClass: value = user
[54258]         cn: value = tobytest
[54258]         sn: value = Houser
[54258]         description: value = Test account for VPN access
[54258]         givenName: value = Toby
[54258]         distinguishedName: value = CN=tobytest,OU=VPN Users,DC=vpn,DC=com
[54258]         instanceType: value = 4
[54258]         whenCreated: value = 20081003185255.0Z
[54258]         whenChanged: value = 20100325212421.0Z
[54258]         displayName: value = tobytest
[54258]         uSNCreated: value = 1351748
[54258]         memberOf: value = CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com
[54258]         uSNChanged: value = 3315685
[54258]         name: value = tobytest
[54258]         objectGUID: value = iQ.q..DB........
[54258]         userAccountControl: value = 512
[54258]         badPwdCount: value = 0
[54258]         codePage: value = 0
[54258]         countryCode: value = 0
[54258]         badPasswordTime: value = 129135013690000047
[54258]         lastLogoff: value = 0
[54258]         lastLogon: value = 129135013938595388
[54258]         pwdLastSet: value = 129139284801415442
[54258]         primaryGroupID: value = 513
[54258]         userParameters: value =                                                 P....CtxCfgPresent..............
[54258]         objectSid: value = ............3r.O.#.&.m.2h...
[54258]         accountExpires: value = 0
[54258]         logonCount: value = 0
[54258]         sAMAccountName: value = tobytest
[54258]         sAMAccountType: value = 805306368
[54258]         userPrincipalName: value = tobytest@vpn.com
[54258]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=vpn,DC=com
[54258]         dSCorePropagationData: value = 20091113013853.0Z
[54258]         dSCorePropagationData: value = 20091113013540.0Z
[54258]         dSCorePropagationData: value = 20091113012657.0Z
[54258]         dSCorePropagationData: value = 20091113012614.0Z
[54258]         dSCorePropagationData: value = 16010714223649.0Z
[54258]         lastLogonTimestamp: value = 129135001055035397
[54258] Fiber exit Tx=371 bytes Rx=3889 bytes, status=1
[54258] Session End

The problem I'm having is that the filter is not getting applied.  According to the example, the next line after "memberOf: value = CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com" should be "mapped to IETF-Radius-Class: value = DenyGrpPolicy" ... but that isn't happening.

I think this is why the filter is not getting applied ... but not sure how to fix it.

I also tried  "sh vpn-sessiondb remote filter name tobytest" but I get an error: INFO: There are presently no active sessions of the type specified

Please grab the output of "sh vpn-sessiondb  remote filter name tobytest" when you are actually connected via AnyConnect so we can check which group-policy, you are assigned to. So we know whether the group-policy assignment is incorrect, or the group-policy settings are incorrect.

That command does nothing at the CLI -->

sh vpn-sessiondb remote filter name tobytest
INFO: There are presently no active sessions of the type specified

I have confirmed that the anyconnect session is still connected.  From the ASDM monitoring page I have the following:

Even though the LDAP debug shows me as being in the memberOf: value = CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com, not the HRManilla group that it is applying.

[54281] Session Start
[54281] New request Session, context 0xb4a9a4d0, reqType = Authentication
[54281] Fiber started
[54281] Creating LDAP context with uri=ldap://10.:389
[54281] Connect to LDAP server: ldap://10.:389, status = Successful
[54281] supportedLDAPVersion: value = 3
[54281] supportedLDAPVersion: value = 2
[54281] Binding as admvpn
[54281] Performing Simple authentication for admvpn to 10.

[54281] LDAP Search:
        Base DN = [ou=VPN Users, dc=vpn, dc=com]
        Filter  = [sAMAccountName=tobytest]
        Scope   = [ONE LEVEL]
[54281] User DN = [CN=tobytest,OU=VPN Users,DC=vpn,DC=com]
[54281] Talking to Active Directory server 10.

[54281] Reading password policy for tobytest, dn:CN=tobytest,OU=VPN Users,DC=vpn,DC=com
[54281] Read bad password count 0
[54281] Binding as tobytest
[54281] Performing Simple authentication for tobytest to 10.1

[54281] Processing LDAP response for user tobytest
[54281] Message (tobytest):
[54281] Checking password policy
[54281] Authentication successful for tobytest to 10.

[54281] now: Thu, 25 Mar 2010 21:54:14 GMT, lastset: Wed, 24 Mar 2010 18:21:20 GMT, delta=99174, maxage=1248204288 secs
[54281] expire in: 7676826 secs, 89 days
[54281] Retrieved User Attributes:
[54281]         objectClass: value = top
[54281]         objectClass: value = person
[54281]         objectClass: value = organizationalPerson
[54281]         objectClass: value = user
[54281]         cn: value = tobytest
[54281]         sn: value = Houser
[54281]         description: value = Test account for VPN access
[54281]         givenName: value = Toby
[54281]         distinguishedName: value = CN=tobytest,OU=VPN Users,DC=vpn,DC=com
[54281]         instanceType: value = 4
[54281]         whenCreated: value = 20081003185255.0Z
[54281]         whenChanged: value = 20100325212421.0Z
[54281]         displayName: value = tobytest
[54281]         uSNCreated: value = 1351748
[54281]         memberOf: value = CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com
[54281]         uSNChanged: value = 3315685
[54281]         name: value = tobytest
[54281]         objectGUID: value = iQ.q..DB........
[54281]         userAccountControl: value = 512
[54281]         badPwdCount: value = 0
[54281]         codePage: value = 0
[54281]         countryCode: value = 0
[54281]         badPasswordTime: value = 129135013690000047
[54281]         lastLogoff: value = 0
[54281]         lastLogon: value = 129135013938595388
[54281]         pwdLastSet: value = 129139284801415442
[54281]         primaryGroupID: value = 513
[54281]         userParameters: value =                                                 P....CtxCfgPresent..............
[54281]         objectSid: value = ............3r.O.#.&.m.2h...
[54281]         accountExpires: value = 0
[54281]         logonCount: value = 0
[54281]         sAMAccountName: value = tobytest
[54281]         sAMAccountType: value = 805306368
[54281]         userPrincipalName: value = tobytest@vpn.com
[54281]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=vpn,DC=com
[54281]         dSCorePropagationData: value = 20091113013853.0Z
[54281]         dSCorePropagationData: value = 20091113013540.0Z
[54281]         dSCorePropagationData: value = 20091113012657.0Z
[54281]         dSCorePropagationData: value = 20091113012614.0Z
[54281]         dSCorePropagationData: value = 16010714223649.0Z
[54281]         lastLogonTimestamp: value = 129135001055035397
[54281] Fiber exit Tx=646 bytes Rx=2673 bytes, status=1
[54281] Session End

[54282] Session Start
[54282] New request Session, context 0xb4a9a4d0, reqType = Other
[54282] Fiber started
[54282] Creating LDAP context with uri=ldap://10.:389
[54282] Connect to LDAP server: ldap://10. status = Successful
[54282] supportedLDAPVersion: value = 3
[54282] supportedLDAPVersion: value = 2
[54282] Binding as admvpn
[54282] Performing Simple authentication for admvpn to

[54282] LDAP Search:
        Base DN = [ou=VPN Users, dc=vpn, dc=com]
        Filter  = [sAMAccountName=tobytest]
        Scope   = [ONE LEVEL]
[54282] User DN = [CN=tobytest,OU=VPN Users,DC=vpn,DC=com]
[54282] LDAP Search:
        Base DN = [ou=VPN Users, dc=vpn, dc=com]
        Filter  = [sAMAccountName=tobytest]
        Scope   = [ONE LEVEL]
[54282] Retrieved User Attributes:
[54282]         objectClass: value = top
[54282]         objectClass: value = person
[54282]         objectClass: value = organizationalPerson
[54282]         objectClass: value = user
[54282]         cn: value = tobytest
[54282]         sn: value = Houser
[54282]         description: value = Test account for VPN access
[54282]         givenName: value = Toby
[54282]         distinguishedName: value = CN=tobytest,OU=VPN Users,DC=vpn,DC=com
[54282]         instanceType: value = 4
[54282]         whenCreated: value = 20081003185255.0Z
[54282]         whenChanged: value = 20100325212421.0Z
[54282]         displayName: value = tobytest
[54282]         uSNCreated: value = 1351748
[54282]         memberOf: value = CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com
[54282]         uSNChanged: value = 3315685
[54282]         name: value = tobytest
[54282]         objectGUID: value = iQ.q..DB........
[54282]         userAccountControl: value = 512
[54282]         badPwdCount: value = 0
[54282]         codePage: value = 0
[54282]         countryCode: value = 0
[54282]         badPasswordTime: value = 129135013690000047
[54282]         lastLogoff: value = 0
[54282]         lastLogon: value = 129135013938595388
[54282]         pwdLastSet: value = 129139284801415442
[54282]         primaryGroupID: value = 513
[54282]         userParameters: value =                                                 P....CtxCfgPresent..............
[54282]         objectSid: value = ............3r.O.#.&.m.2h...
[54282]         accountExpires: value = 0
[54282]         logonCount: value = 0
[54282]         sAMAccountName: value = tobytest
[54282]         sAMAccountType: value = 805306368
[54282]         userPrincipalName: value = tobytest@vpn.com
[54282]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=vpn,DC=com
[54282]         dSCorePropagationData: value = 20091113013853.0Z
[54282]         dSCorePropagationData: value = 20091113013540.0Z
[54282]         dSCorePropagationData: value = 20091113012657.0Z
[54282]         dSCorePropagationData: value = 20091113012614.0Z
[54282]         dSCorePropagationData: value = 16010714223649.0Z
[54282]         lastLogonTimestamp: value = 129135001055035397
[54282] Fiber exit Tx=371 bytes Rx=3889 bytes, status=1
[54282] Session End

So, it still looks like the HRManilla filter is getting applied somehow, even though the user I'm testing is not a member of that group.

Sorry, it should be "sh vpn-sessiondb svc filter name tobytest".

It actually falls under "HRManilaPolicy" group-policy. Can you please share the whole configuration as that is not included in your original post. Your original post has "HRUsersPolicy".

Also, how do you actually connect? via the web browser or with the anyconnect client? and also what is the URL that you use to connect?

OK ... that command works :-)

sh vpn-sessiondb svc filter name tobytest

Session Type: SVC

Username     : tobytest               Index        : 29808
protocol     : Clientless DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 18865                  Bytes Rx     : 79652
Group Policy : HRManillaPolicy        Tunnel Group : HRManilla
Login Time   : 17:54:14 EDT Thu Mar 25 2010
Duration     : 0h:18m:33s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

I'm launching the anyconnect client directly, not using the web page.  Been playing around with the filters, so it is HRManillaPolicy now. Here's everything for HRManillaPolicy that I'm getting assigned to and the DenyGrpPolicy that I'm trying to get assigned to based on "memberof" supplied by LDAP.

access-list HRManillaACL extended permit udp any object-group DM_INLINE_NETWORK_2 eq domain
access-list HRManillaACL extended permit ip any object-group DM_INLINE_NETWORK_1
access-list HRManillaACL extended deny ip any any
access-list DenyAllACL extended deny ip any any

aaa-server VPNDOMAINLDAP protocol ldap
aaa-server VPNDOMAINLDAP (INSIDE_NIC) host 10.x.x.x
ldap-base-dn ou=VPN Users, dc=vpn, dc=com
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=admvpn, cn=Users, dc=vpn, dc=com
server-type microsoft
ldap-attribute-map CISCOMAP

ldap attribute-map CISCOMAP
  map-name  memberof IETF-Radius-Class
  map-value memberof "CN=DenyGroup,OU=VPN Users,DC=vpn,DC=com" DenyGrpPolicy
  map-value memberof "CN=HRManilla,OU=VPN Users,DC=vpn,DC=com" HRManillaPolicy

group-policy HRManillaPolicy internal
group-policy HRManillaPolicy attributes
banner value HRManilla Group Policy applied ...
wins-server value 10.x.x.x
dns-server value 10.x.x.x
vpn-filter value HRManillaACL
vpn-tunnel-protocol svc webvpn
group-lock value HRManilla
default-domain value
address-pools value VPNPOOL244
webvpn
  url-list value HRBookmarks
  svc ask enable default webvpn

group-policy DenyGrpPolicy internal
group-policy DenyGrpPolicy attributes
banner value You have not authenticated to any policies, so ACCESS IS DENIED.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 180
vpn-session-timeout 600
vpn-filter value DenyAllACL
ipv6-vpn-filter none
vpn-tunnel-protocol webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-proxy
msie-proxy except-list none
msie-proxy local-bypass disable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
  url-list none
  filter none
  homepage none
  port-forward disable
  http-proxy disable
  sso-server none
  svc dtls none
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression none
  svc modules none
  svc profiles none
  svc ask none default webvpn
  keep-alive-ignore 4
  http-comp gzip
  user-storage none
  storage-objects value credentials,cookies
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  smart-tunnel auto-signon disable

tunnel-group HRManilla type remote-access
tunnel-group HRManilla general-attributes
address-pool VPNPOOL244
authentication-server-group VPNDOMAINLDAP
authorization-server-group VPNDOMAINLDAP
default-group-policy HRManillaPolicy
password-management
authorization-required

tunnel-group HRManilla webvpn-attributes
radius-reject-message
proxy-auth sdi
group-alias hrmanilla enable
group-url https://x.x.x.x/hrmanilla enable

When you connect via the AnyConnect client, did you try to connect to: x.x.x.x/hrmanilla?

Can you try to connect just via x.x.x.x (without the /hrmanilla)? and once connected, please share "sh vpn-sessiondb svc filter name tobytest". Thanks.

Yes, I connect to x.x.x.x/hrmanilla as the only possible URL available right now.  I didn't leave the VPN open for access without specifying a group.  If I hit the VPN without specifying /hrmanilla, it prompts me to chose a Group, and the only option is hrmanilla.  This is how I'd like it, since I'm trying to restrict vendors to only their specific group by location. I plan to have many different HRxxxx profiles, each for a specific location.  So, HRManilla users in Active Directory can only login to the HRManilla VPN ... and HRBudapest users in Active Directory can only login to the HRBudapest VPN, etc.

The problem I'm having now is that my test user "tobytest" is not in the HRManilla group in Active Directory, but he is still able to login to the HRManilla VPN.  I'm trying to lock this down such that Active Directory group membership in the HRManilla group is required in order to login to the VPN for that group.

From the examples I've read, it seems that I should be able to make use of  the LDAP "memberof" attribute to make the association of Active Directory group to ASA VPN Group profile ... but the ASA doesn't seem to be associating the memberof attribute to the profiles.

Thanks for your continued help ... I really appreciate it.  You've been more responsive then the TAC engineer assigned to my case

The tidiest method would be to just have 1 URL for everybody, eg: https://x.x.x.x, and let the LDAP mapping automatically map different user to different group-policy.

For example:

user1 == group-policy vendor1

user 2 == group-policy vendor2

So when your user connects via SSL, depending on the username that they use to log in, the ldap attribute mapping will map it accordingly to the appropriate group-policy for that specific vendor group-policy that you have preconfigured.

So when user1 connects, the ldap attribute mapping will map it automatically to vendor1, and same with user2, when it connects, it will be mapped automatically to vendor2 as per the ldap group mapping that you have preconfigured.

In this case, user will not even know or aware that there are different vendors.

Hope that helps.

nick.ehlers
Level 1
Level 1

did you ever find the solution toby?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: