Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AnyConnect LDAP Attribute-Map

I am trying to configure attribute-map for our SSL Anyconnect Client connections. Basically I want all connections to be dropped unless the users DialIn AD attribute is set to allow.

I have it working. But according to the Cisco instructions, you create a NoAccess Group Policy as your default policy for your Connection Profile and set the simultaenous-logins to 0. The idea being all connections will be dropped unless they use a different group-policy. As soon as I change my default-group-policy to NoAccess I cannot login.


ldap attribute-map LDAPVPN
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE SSL-VPN

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.200.202.5
server-port 389
ldap-base-dn dc=*****,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=cisco,OU=Service,OU=Accounts,OU=*****,DC=******,DC=com
server-type microsoft
ldap-attribute-map LDAPVPN

group-policy SSL-VPN internal
group-policy SSL-VPN attributes
dns-server value 192.200.202.5 192.200.202.6
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Tunnel
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
  svc ask none default svc

tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool ssl-pool
authentication-server-group LDAP
default-group-policy NoAccess
tunnel-group SSL-VPN webvpn-attributes
group-alias ******* enable

 If I check debug you can see the attribute being mapped correctly. What gives?

test aaa authorization LDAP host 192.200.202.5 username ****
 


[333]   msNPAllowDialin: value = TRUE
[333]           mapped to IETF-Radius-Class: value = SSL-VPN
[333]           mapped to LDAP-Class: value = SSL-VPN






 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AnyConnect LDAP Attribute-Map

Hello, Please do this:

group-policy SSL-VPN attributes

vpn-simultaneous-logins 3

What is going on here is that the group-policy SSL-VPN is inheriting the vpn-simultaneous-logins 0 value from the NoAccess policy as soon as you set it uo as the default group-policy under the tunnel-group. That's why we need to specifically add a value on the SSL-VPN group-policy.

3 REPLIES
Cisco Employee

Re: AnyConnect LDAP Attribute-Map

Hello, Please do this:

group-policy SSL-VPN attributes

vpn-simultaneous-logins 3

What is going on here is that the group-policy SSL-VPN is inheriting the vpn-simultaneous-logins 0 value from the NoAccess policy as soon as you set it uo as the default group-policy under the tunnel-group. That's why we need to specifically add a value on the SSL-VPN group-policy.

New Member

Re: AnyConnect LDAP Attribute-Map

Geez. Can't believe I ddin't think of that.

That was it. Thanks mate.

Cisco Employee

Re: AnyConnect LDAP Attribute-Map

No Problem!! :-)

2220
Views
0
Helpful
3
Replies
CreatePlease to create content