03-17-2014 03:37 PM - edited 03-11-2019 08:57 PM
Trying to setup dynamic access policy to restrict some users from being able to get on VPN. Our default policy allows everybody on VPN, we just need to exclude a small number of contractors. I created an AD group called NoVPN & put a new test user into it (testnovpn)
I'll created a new dynamic access policy & set the ldap.MemberOf = NoVpn (which is an Active Directory group) & to then terminate.
But this user can still connect to VPN. Config looks like following & the ASA is able to query for LDAP groups just fine if I click edit
Debug attached, I don't see any reference to the LDAP group?
# debug dap trace
debug dap trace enabled at level 1
# debug ldap 255
debug ldap enabled at level 255
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8209"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8208"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8218"]["1"]=""
DAP_TRACE: name = aaa.radius["8218"]["1"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testnovpn"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testnovpn"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="testnovpn"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "testnovpn"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="companyemployee"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "companyemployee"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.04063"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.04063"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="mac-intel"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "mac-intel"
DAP_TRACE: Username: testnovpn, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testnovpn, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testnovpn, Selected DAPs: DfltAccessPolicy
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"
DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"
DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8209"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8208"]["1"] contains binary data
DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8218"]["1"]=""
DAP_TRACE: name = aaa.radius["8218"]["1"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testnovpn"
DAP_TRACE: name = aaa["cisco"]["username"], value = "testnovpn"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="testnovpn"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "testnovpn"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="companyemployee"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "companyemployee"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.04063"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.04063"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="mac-intel"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "mac-intel"
DAP_TRACE: Username: testnovpn, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: testnovpn, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: testnovpn, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: testnovpn, DAP_close: 7FFF37FDCE30
03-17-2014 06:08 PM
What do you have under the Network ACL Filters (client) tab? Did you create an deny any any ACL under the ACL Manager and then Add that to this profile under the Network ACL Filters tab?
03-18-2014 07:10 AM
03-20-2014 08:58 AM
When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide