cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6015
Views
0
Helpful
3
Replies

LDAP Group Assignments with Tunnel-Group-Lock

andrler
Level 1
Level 1

Hi, I'm trying to authenticate my VPN users to MS AD, which is working perfectly - the can connect and use their AD logins. However subsequently, I would like to assign different group policies based their security group assignment in AD, which I am trying to achieve with the ldap attribute-map memberOf or Tunnel-Group_Lock.

My understanding is that Tunnel-Group-Lock will assign people to only a specific group policy based on their AD group, which is more suited to my purpose than memberOf.

That said, the first issue is that it doesn't appear to work - users assigned to either Employees_All or Developers_All, can log in using either group authentication creds. After enabling debug ldap 255, I can see that the users are being matched to the apropriate group policy, but it appears to be disregarded.

The second issue is that users that are not assigned to either group can also log in using either group authentication creds. I understand that this is because if there are no matches, it falls back to DfltGrpPolicy. So I changed the vpn-simultaneous-logins on the default policy to 0, which locked everyone out, so I changed vpn-simultaneous-logins on the employees and developers group policies to 10, leavign the default at 0. Everyone was still locked out, until I changed the default back to 3.

I've also looked at the msNPAllowDialin, but don't want to have to go through all the non-vpn users and disable VPN access in AD.

Any suggestions would be greatly appreciated. I think I have to be missing something simple.

Thanks,

Andy.

ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class
  map-value Tunnel-Group-Lock CN=Employees_All,OU=Groups,DC=company,DC=com employees_vpn
  map-value Tunnel-Group-Lock CN=Developers_All,OU=Groups,DC=company,DC=com developers_vpn

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.1.1
server-port 389
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=asa,OU=users,DC=company,DC=com
server-type microsoft
ldap-attribute-map LDAP_map
aaa-server LDAP (inside) host 10.1.1.2
server-port 389
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=asa,OU=users,DC=company,DC=com
server-type microsoft
ldap-attribute-map LDAP_map

group-policy employees_vpn internal
group-policy employees_vpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value employees_vpn_split_tunnel_list

tunnel-group employees_vpn type remote-access
tunnel-group employees_vpn general-attributes
address-pool vpn_pool
authentication-server-group LDAP
default-group-policy employees_vpn
tunnel-group employees_vpn ipsec-attributes
pre-shared-key *****

group-policy developers_vpn internal
group-policy developers_vpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value developers_vpn_split_tunnel_list

tunnel-group developers_vpn type remote-access
tunnel-group developers_vpn general-attributes
address-pool vpn_pool
authentication-server-group LDAP
default-group-policy developers_vpn
tunnel-group developers_vpn ipsec-attributes
pre-shared-key *****

1 Accepted Solution

Accepted Solutions

Paul Carco
Level 1
Level 1

A very simple example of mapping is using just a random AD  field like 'Department' and populating that with the group-policy name 'employees_vpn' or 'developers_vpn'

ldap attribute-map LDAP_map
  map-name  Department IETF-Radius-Class   <<<-- this is now changed to read 'Group-Policy' in 8.2


I see that you have :
ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class   (tunnel-group-lock is not an Ldap attribute name.

ciscoasa#1(config-ldap-attribute-map)# map-name ?

ldap mode commands/options:
  WORD  Enter Customer Atribute Name.


ciscoasa#1(config-ldap-attribute-map)# map-name department ?

ldap mode commands/options:
cisco-attribute-names:
  Access-Hours
  Allow-Network-Extension-Mode
  Auth-Service-Type
  Authenticated-User-Idle-Timeout
  Authorization-Required
  Authorization-Type
  Banner1
  Banner2
  Cisco-AV-Pair
  Cisco-IP-Phone-Bypass
  Cisco-LEAP-Bypass
  Client-Intercept-DHCP-Configure-Msg
  Client-Type-Version-Limiting
  Confidence-Interval
  DHCP-Network-Scope
  DN-Field
  Firewall-ACL-In
  Firewall-ACL-Out
  Group-Policy   <<<<--- this replaced Ietf-radius-class

You should have a look at this document and specifically the section..

"Advantages of Using DAP Rather Than Group Policies"


DAP provides:
•Flexible VPN policy selection criteria based on AAA or endpoint access attributes.
•Tighter integration with Active Directory attributes (for example, memberOf).
•Aggregation of multiple DAP policies."

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

Regards,

Paul

View solution in original post

3 Replies 3

Paul Carco
Level 1
Level 1

A very simple example of mapping is using just a random AD  field like 'Department' and populating that with the group-policy name 'employees_vpn' or 'developers_vpn'

ldap attribute-map LDAP_map
  map-name  Department IETF-Radius-Class   <<<-- this is now changed to read 'Group-Policy' in 8.2


I see that you have :
ldap attribute-map LDAP_map
  map-name  Tunnel-Group-Lock IETF-Radius-Class   (tunnel-group-lock is not an Ldap attribute name.

ciscoasa#1(config-ldap-attribute-map)# map-name ?

ldap mode commands/options:
  WORD  Enter Customer Atribute Name.


ciscoasa#1(config-ldap-attribute-map)# map-name department ?

ldap mode commands/options:
cisco-attribute-names:
  Access-Hours
  Allow-Network-Extension-Mode
  Auth-Service-Type
  Authenticated-User-Idle-Timeout
  Authorization-Required
  Authorization-Type
  Banner1
  Banner2
  Cisco-AV-Pair
  Cisco-IP-Phone-Bypass
  Cisco-LEAP-Bypass
  Client-Intercept-DHCP-Configure-Msg
  Client-Type-Version-Limiting
  Confidence-Interval
  DHCP-Network-Scope
  DN-Field
  Firewall-ACL-In
  Firewall-ACL-Out
  Group-Policy   <<<<--- this replaced Ietf-radius-class

You should have a look at this document and specifically the section..

"Advantages of Using DAP Rather Than Group Policies"


DAP provides:
•Flexible VPN policy selection criteria based on AAA or endpoint access attributes.
•Tighter integration with Active Directory attributes (for example, memberOf).
•Aggregation of multiple DAP policies."

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

Regards,

Paul

Hi Paul, thanks for the reply - it's actually taken this long to find some time to play with DAP, which worked well once I got my head around how it worked. I completely got rid of the LDAP attributes and just used DAP with ACL's to accomplish the same thing, which is ultimately a better solution.

If anyone is interested, I can post a working sanitised config.

Thanks,

Andy.

Hello Andy

Can you send me please a working config of the DAP? At the moment I have problems with ldap, all the users in the active directory can authenticate on the vpn, not only the users in the security group i try to use.

Thanks and regards Lukas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: