Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
10790
Views
15
Helpful
1
Comments

ASA 8.X : How to deny remote access to LDAP users that don't have Remote Access Permissions

Nicolas Fournier
Cisco Employee
Cisco Employee

on ‎10-28-2010 05:06 AM

One of the attributes of an Active Directory user is his Remote Access Permission.

This can be found under the Dial-in tab of your user properties:

user prop.JPG

If you have already set this value for all of your users, you might want to reuse it once you setup remote access to your firewall.

There are two ways to allow AnyConnect or IPSec access only to users which have this parameter set:

1.) Dynamic Access Policies

First, you'll need to create a new DAP ( Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies in ASDM).

Under this new DAP, set a match parameter under the AAA Atributes that verifies that the ldap.msNPAllowDialin is set to TRUE and set the action for this DAP to "Continue" as shown in the following picture:

DAP1.jpg

Once this is done, you only need set the action on the DfltAccessPolicy to "Terminate":

DAPdflt.jpg

That way, users that have either msNPAllowDialin set to FALSE or which don't have this attribute at all will be denied access.

2.) Group Policy switching through LDAP attribute-map:

With an ldap attribute-map, you can change the group-policy that will be assigned to the user once he connects. If you forbid access on the policy the users will be sent to if he doesn't have Remote Access Permission set, you'll achieve the same effect as with the first technique.

Here is how you can do:

Create the attribute-map

ldap attribute-map AccessRestrict
   map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
   map-value msNPAllowDialin TRUE AllowVPN
   map-value msNPAllowDialin FALSE NoVPN

As you can see above, the map will send users that don't have msNPAllowDialin set to the NoVPN group-policy while the one that have it will go to the AllowVPN one.

Bound the attribute map to your LDAP server:
aaa-server AD-Server host <IP>
  ldap-attribute-map AccessRestrict


Define the group-policies:

group-policy AllowVPN internal
group-policy AllowVPN attributes
  <Configure Your Users Group-policy Here>

group-policy NoVPN internal
group-policy NoVPN attributes
  vpn-simultaneous-logins 0

Setting vpn-simultaneous-logins to 0 under the NoVPN policy will prevent people that don't have msNPAllowDialin set to login.

  • If you are afraid that some of the users might not have the msNPAllowDialin attribute at all, you might want to set vpn-simultaneous-logins to 0 under the DfltGrpPolicy group-policy. If you do, only users going to the AllowVPN group-policy should be able to login.

Here are some documents that could be useful if you want to learn a bit more on the subject:

<a href="http://www.cisco.com/en/US/partner/products/ps6120/products_white_paper09186a00809fcf38.shtml"> ASA 8.x Dynamic Access Policies (DAP) Deployment Guide  </a>

<a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml"> ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example  </a>





Labels:
Comments
Mitacs It
Level 1
Level 1
‎04-16-2015 01:35 PM

Would this work with Windows AD Kerberos Cisco ASA 5510 AAA method, and if not, what are other ways to accomplish it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents