Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Anyconnect VPN and DAP

I'm tying to figure out how to migrate from IPSec to Anyconnect. I have successfully configured Anyconnect to work although not the way i'd like. With IPSec i'd have 1 profile for all of our staff and seperate individual profiles for vendors that needed certain access to servers or ther networks. Since we started looking at Anyconnect we enabled LDAP on the ASA. My question is how can i assign a single user an ACL which only allows them access to one server or device? I created a DAP but i only see where i can add AD groups, not individual users.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Anyconnect VPN and DAP

From DAP, you can use "AAA Attribute Type": Cisco, and match on "Username".

Alternatively, you can place the user into a different LDAP group, and configure a different group-policy for the specific access.

Hope it helps.

Cisco Employee

Re: Anyconnect VPN and DAP

No, license has nothing to do with the issue. License will allow you only 2 concurrent SSL connections at the moment.

Looks like you are matching on LDAP.username on the DAP policy. Please match on "Cisco" username, instead of "LDAP" username on the DAP policy.

17 REPLIES
Cisco Employee

Re: Anyconnect VPN and DAP

From DAP, you can use "AAA Attribute Type": Cisco, and match on "Username".

Alternatively, you can place the user into a different LDAP group, and configure a different group-policy for the specific access.

Hope it helps.

Community Member

Re: Anyconnect VPN and DAP

AH, OK. I'm not that familiar with LDAP and AD. Thanks

Community Member

Re: Anyconnect VPN and DAP

another question. I can't seem to get the DAP to associate with an Anyconnect profile. I'm using LDAP and AAA Attribute "username". When i log in as that user i don't seem to get the ACL i specified in the DAP. Any suggestions why i can't get the DAP to work with my Anyconnect profile?

Cisco Employee

Re: Anyconnect VPN and DAP

What do you mean by AnyConnect profile?

I assume on the DAP policy, you assign that particular user the correct "Network ACL Filters" specific for just that 1 user? as per the attached.

Community Member

Re: Anyconnect VPN and DAP

When i connect to the Anyconnect profile my login isn't associating with my DAP profile which has an ACL limiting me access to certain devices/IPs. As you can see on the picture i attached i'm using LDAP w/ username. Do i need to configure an AAA Attribute Map for LDAP?

Cisco Employee

Re: Anyconnect VPN and DAP

Can you please share the access-list that you created, and also what is the ip pool subnet?

Also, please connect via AnyConnect, and once connected, please grab the output of the following from the ASA:

show vpn-sessiondb detail svc filter name

Community Member

Re: Anyconnect VPN and DAP

Here is the config. Am i supposed to do anything with the AAA Attribute Maps? My knowledge of AD is limited. I was doing some reading and it sounds like i need to have some sort of Map between LDAP and Cisco.

thanks!

Cisco Employee

Re: Anyconnect VPN and DAP

OK, the access-list is incorrect. Your VPN Pool is 10.10.18.0/24, but your access-list is sourcing from 10.10.17.26.

Are you trying to allow only access to 10.0.0.31 for that user? You might want to change the ACL to source from 10.10.18.0/24 towards 10.0.0.31.

Community Member

Re: Anyconnect VPN and DAP

I've made too many changes. lets try this again.

Please refer to the attached config. After i cleaned it up i am still not getting the proper ACLs to work with the DAP and profile name EGTS.

Cisco Employee

Re: Anyconnect VPN and DAP

Can you please grab the output of "show vpn-sessiondb full svc filter name " instead? The previous show output doesn't seem to include the vpn-filter. Thanks.

What is the behaviour? You are able to access everything OR/ you are not able to access anything at all?

Community Member

Re: Anyconnect VPN and DAP

I am able to access everything so i'm thinking the DAP isn't associating with the user when logging in on anyconnect. here is the show output.

ASA55201# show vpn-sessiondb full svc filter name EGTS

Session Type: SVC ||

Session ID: 6567 | EasyVPN: 0 | Username: EGTS | Group: CC-SSL-VPN-Vendors | Tunnel Group: CC-SSL-VPN-Vendors | IP Addr: 10.10.19.1 | Public IP: 75.235.159.184 | Protocol: Clientless SSL-Tunnel DTLS-Tunnel | License: SSL VPN | Session Subtype: With client | Encryption: RC4 AES128 | Login Time: 08:24:51 EDT Thu Apr 1 2010 | Duration: 0h:01m:34s | Bytes Tx: 23312 | Bytes Rx: 12403 | NAC Result: Unknown | Posture Token:  | VLAN Mapping: N/A | VLAN:  0 ||

Cisco Employee

Re: Anyconnect VPN and DAP

Yeah, i don't see the filter being assigned to the user.

Try to run "debug dap trace" and "debug dap errors", and try to connect again. Please share the debug output. Thanks.

Community Member

Re: Anyconnect VPN and DAP

Here ya go! Looks like it is just using the default DAP.

Silver

Re: Anyconnect VPN and DAP

Can you change the DAP check to any one of the below:

ldap.cn=EGTS

ldap.sAMAccountName = egts

cisco.username=EGTS

Thanks,

Kiran

Community Member

Re: Anyconnect VPN and DAP

thanks for the info but the didn't seem to work either. I can't get the username to associate with the DAP. It just goes straight to the default DAP. Do i need to do any Attribute mapping or anything else in AD? Also i only have the 2 licenses for the SSL VPN client. We're waiting on the license order to go through. Would that have anything to do with it?

Cisco Employee

Re: Anyconnect VPN and DAP

No, license has nothing to do with the issue. License will allow you only 2 concurrent SSL connections at the moment.

Looks like you are matching on LDAP.username on the DAP policy. Please match on "Cisco" username, instead of "LDAP" username on the DAP policy.

Community Member

Re: Anyconnect VPN and DAP

awesome....got it working now. thanks guy!

1782
Views
10
Helpful
17
Replies
CreatePlease to create content