We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?
I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
Here is con fig example you may try:
Configuration for restricting access to a particular windows group on AD/LDAP
Thanks JK, I was thinking along those same lines, but came away stumped. Was your example a "theoretical" or verified?
When I changed from RADIUS to LDAP and applied the Attribute Map - leaving default Group Policy as FullVPN - anyone in the Directory could successfully authenticate and gain a connection. (And I do mean *anyone* - the "VPN Users" AD group membership was not honored.)
As soon as I changed the default Group Policy to NoVPN - hoping the FullVPN Attribute Mapping would supercede - nobody could login. We get 3 password prompts followed by an authentication error.
It would seem unlikely that it truly is an "authentication error" since the same LDAP user/pass works when the default Group Policy allows access.
An 'OU' is not the same as a group. Users are typically spread throughout the hierarchy, and they are made members of a CN=groupName object using the memberOf attribute. Your subtree method ignores the 'group' and instead assumes that everyone to be authenticated is under the same OU. This is not my situation.
The memberOf LDAP Attribute Map method to associate a group policy for the allowed users is the most promising, provided I can also get a default no-access policy in place to handle the non-membership case. (As 'jkatyal' described.)
also, not sure why, but it wouldn't work when I inherited the 'simultaneous logins' from the default group policy - I had to explicitly tell simultaneous logins to each group policy (like you did in your example).
Right now I have 4 different AD groups linked to VPN group policies.
It is working great - but for each one, I had to set up a unique LDAP aaa-server entry so I could tell it to use a unique LDAP attribute map.
Is there a way to have *ONE* LDAP aaa-server entry with *ONE* attribute map that has several map-values? Or is the only way to have multiple aaa-server and attribute map entries?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :