Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

Hi All,

I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.

The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.

There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.

The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.

I can only do an all or nothing scenario.

It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.

Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.

Scenario 2 would be an ideal longer term solution.

Any thoughts, ideas or assitance would be greatly appreciated.

Cheers

Everyone's tags (6)
3 REPLIES
Cisco Employee

Re: ASA WebVPN. How do you restrict access to users in an AD gr

PLease checkout the DAP deployment guide https://supportforums.cisco.com/docs/DOC-1369.

So each VPN session will come in on a specific Connection Profile (aka Tunnel Group - TG ) , with each TG having a default group-policy, GP. The GP contains the authorization attributes to apply to the session. DAP is a specialized Group Policy, but currently cannot set all attributes that the legacy GP does. DAP allows aggregation of authorization attributes , which the GP doesn't.

So for your case:

1) Connection ProfileX , Group-Policy X, 1 or more DAP(s) that check for ldap attribute.memberOf=CarpetBaggers

Set the Action=Continue

Note: LDAP attributes are case sensitive, so make sure memberOf    has capital O.

2) Set the DfltAccessPolicy DAP for Action=Terminate

3) Set you Connection Profile for LDAp authentication

4) on you console you can see the DAp processing by "debug dap trace".

HTH,

Nelson

New Member

Re: ASA WebVPN. How do you restrict access to users in an AD gr

This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:

assert(function()
   if ( (type(aaa.ldap.distinguishedName) == "string") and
        (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
       return true
   end
   return false
end)()

from the debug dap you can see what Users relates to;

DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com

My admin account fails to get me in to the same profile:

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"

Thanks

Andrew

New Member

ASA WebVPN. How do you restrict access to users in an AD group

Hi all,

i will get back to that post since there is something else that i would like to ask.

I have configured DAP policies and also user access lists(with the AD client installed).

But, what if you want the below scenario:

Apply policies between source AND destinations AD Groups.

Let the following 3 groups exist in the AD: sales, presales, accounting,

i want webvpn users to have the following policies:

sales<-> sales : allow

presales<->presales: allow

sales<->presales: allow

sales<->accounting deny

presales<->accounting deny

accounting<->accounting allow

Keep in mind that i don't want to keep and maintain different client pools for each group.

I want to be dynamic.

it would be great if i could use user based ACLs with source and destination users or/and groups.

8389
Views
10
Helpful
3
Replies