cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1201
Views
0
Helpful
4
Replies

Configuration/Functionality Question of AnyConnect DAP policies.

s-daly
Level 1
Level 1

Hello:

I'm using an ASA 5505, code 8.4(4)1 with AnyConnect 3.0.08057 for SSL VPN connectivity. I have a scenario where I have two different connection profiles; the main difference between the two is that one profile is setup for two-factor authentication (certificate and AAA LDAP w/ AD), and the second profile only has LDAP authentication (for admin access to use with clients that don't necessarily have the required user certificate stored on the local device). While the obvious method to choose between the two profiles at the VPN login would be using the drop-down alias list, however, my preference would be for the ASA to choose the appropriate profile based on which AD group the user is contained in (i.e. if user is in "Admins" AD group, use Administrator profile, else use default profile). I would think Dynamic Access Policies would be a good place to set this up, however, I'm failing to see how it can be implemented there.

So, I guess my question is can this functionality be setup using DAP, and if so, how would it be implemented? If not, is there a way to provide this functionality by some other means using AnyConnect?

Thanks,

Sean

4 Replies 4

Nicola Volpini
Level 1
Level 1

Hi,

I have a similar configuration. In my case I used the LDAP attribute map feature. In ASDM you can reach this by going to Configuration > remote access vpn > AAA/Local users > LDAP attribute map.

You can then create a map and associate the ldap value to a local cisco value, in this case "group-policy". You'll then need to associate this map to your AAA server group.

Hope this helps.

NOTE: In my case I used group policies, but I presume you can find some similar attribute mapping value to suit your need

Oliver Laue
Level 4
Level 4

You can choose the dap aaa attributes ldap.memberOf for AD group membership and Cisco =connection profile to only allow your admin's to use the connection profile without certificate. I think there is no way to automatically assign the right connection profile.

Sent from Cisco Technical Support iPad App

You can use ldap maps to automatically assign a group policy.  Then for the group policy, choose "tunnel group lock" and force the connection to only use the profile you want.  So when they log in, their username will map them to a group policy via ldap that is required to use a specific tunnel.  We do this very same thing except we use radius attributes.  The syntax/method is the similar however. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

From a configuration perspective, this appears that it should suit my purpose, however, I've set this up with a condfiguration that looks like it should work, but it just doesn't. The ASA always wants to pick the 'DfltGrpPolicy' indiscriminately.

Here's my current working config; if you see something awry, please let me know.

ASA Version 8.4(4)1
!
hostname test1
domain-name dwt.com
...
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
...
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
ip address 10.0.51.21 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *hidden*
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dwt.com
same-security-traffic permit intra-interface
object network obj-10.0.76.0
subnet 10.0.76.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 10.0.76.0 255.255.252.0
access-list outside_nat_outbound extended permit ip 10.0.76.0 255.255.252.0 any
access-list outside_nat0_outbound extended permit ip 10.0.76.0 255.255.252.0 10.0.76.0 255.255.252.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
...
ip local pool vpnpool1 10.0.76.20-10.0.79.254 mask 255.255.252.0
...
nat (inside,any) source static any any destination static obj-10.0.76.0 obj-10.0.76.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-10.0.76.0 obj-10.0.76.0 destination static obj-10.0.76.0 obj-10.0.76.0 no-proxy-arp route-lookup
nat (outside,outside) source dynamic obj-10.0.76.0 interface
route outside 0.0.0.0 0.0.0.0 *hidden* 1
route inside 10.0.0.0 255.240.0.0 10.0.51.1 1
...
ldap attribute-map LDAPMapPolicy1
  map-name  memberOf Group-Policy
  map-value memberOf Administrators GroupPolicy1
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap1 protocol ldap
aaa-server ldap1 (inside) host 10.0.16.228
ldap-base-dn DC=dwt,DC=com
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn CN=DWTAUTHUSER,OU=DWT,OU=DWT Administrative Accounts,DC=dwt,DC=com
server-type microsoft
ldap-attribute-map LDAPMapPolicy1
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16

* snip - didn't think you'd want to see my certs *

console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint3 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 1
anyconnect profiles test1 disk0:/test1.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.16.228 192.168.143.11
vpn-tunnel-protocol ssl-client
group-lock value DefaultWEBVPNGroup
default-domain value dwt.com
address-pools value vpnpool1
webvpn
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect profiles value test1 type user
  anyconnect ask none default anyconnect
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.0.16.228 192.168.143.11
vpn-tunnel-protocol ssl-client
group-lock value TunnelGroup1
default-domain value dwt.com
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnpool1
authentication-server-group ldap1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DWTVPNWest enable
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
authentication-server-group ldap1
default-group-policy GroupPolicy1
tunnel-group TunnelGroup1 webvpn-attributes
group-alias Admin enable
!

Much appreciated. Sean

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: