10-22-2010 12:05 PM - edited 02-21-2020 04:55 PM
I am trying to configure attribute-map for our SSL Anyconnect Client connections. Basically I want all connections to be dropped unless the users DialIn AD attribute is set to allow.
I have it working. But according to the Cisco instructions, you create a NoAccess Group Policy as your default policy for your Connection Profile and set the simultaenous-logins to 0. The idea being all connections will be dropped unless they use a different group-policy. As soon as I change my default-group-policy to NoAccess I cannot login.
ldap attribute-map LDAPVPN
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE SSL-VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.200.202.5
server-port 389
ldap-base-dn dc=*****,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=cisco,OU=Service,OU=Accounts,OU=*****,DC=******,DC=com
server-type microsoft
ldap-attribute-map LDAPVPN
group-policy SSL-VPN internal
group-policy SSL-VPN attributes
dns-server value 192.200.202.5 192.200.202.6
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Tunnel
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool ssl-pool
authentication-server-group LDAP
default-group-policy NoAccess
tunnel-group SSL-VPN webvpn-attributes
group-alias ******* enable
If I check debug you can see the attribute being mapped correctly. What gives?
test aaa authorization LDAP host 192.200.202.5 username ****
[333] msNPAllowDialin: value = TRUE
[333] mapped to IETF-Radius-Class: value = SSL-VPN
[333] mapped to LDAP-Class: value = SSL-VPN
Solved! Go to Solution.
10-22-2010 12:17 PM
Hello, Please do this:
group-policy SSL-VPN attributes
vpn-simultaneous-logins 3
What is going on here is that the group-policy SSL-VPN is inheriting the vpn-simultaneous-logins 0 value from the NoAccess policy as soon as you set it uo as the default group-policy under the tunnel-group. That's why we need to specifically add a value on the SSL-VPN group-policy.
10-22-2010 12:17 PM
Hello, Please do this:
group-policy SSL-VPN attributes
vpn-simultaneous-logins 3
What is going on here is that the group-policy SSL-VPN is inheriting the vpn-simultaneous-logins 0 value from the NoAccess policy as soon as you set it uo as the default group-policy under the tunnel-group. That's why we need to specifically add a value on the SSL-VPN group-policy.
10-22-2010 12:25 PM
Geez. Can't believe I ddin't think of that.
That was it. Thanks mate.
10-24-2010 07:08 PM
No Problem!! :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: