ASA 5505 VPN Group Policies (RADIUS) and tunnel group

cesaregiuliani · ‎08-20-2014

I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.

I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).

Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.

I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..

Session Type: WebVPN

Username     : kaisaron78             Index        : 1
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 518483                 Bytes Rx     : 37549
Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:59:33 CEDT Mon Aug 18 2014
Duration     : 0h:00m:23s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none

Asa5505# sh vpn-sessiondb webvpn

Session Type: WebVPN

Username     : manintra               Index        : 2
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 238914                 Bytes Rx     : 10736
Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 11:01:02 CEDT Mon Aug 18 2014
Duration     : 0h:00m:05s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none

As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.

! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
!
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
!
! RADIUS SETUP
!
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
!
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
!
! LOCAL POLICIES
!

group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
!
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
!
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
!
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
!
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!
!END

I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!

Any help will be more than appreciated.

Cesare Giuliani

Marcin Latosiewicz · ‎08-20-2014

Cesare,

In SSLVPN you need to direct your connection to particular tunnel group.

Check out the "group-alias" and "tunnel-group-list" commands, also "group-url".

You have two possibilities, either a different URL per group and/or differ group alias which user will pick.

M.

cesaregiuliani · ‎08-21-2014

Thank you for answering Mr. Latosiewicz,

however I'm missing something: do I have to force enable group selection drop down at login and create two different tunnel groups, one for AnyConnect and one for SSLVPN and then assign group policies via radius? Or I can still use only username and password to login without selecting a group via drop down menu and then specify via radius attribute the group url in order to point the correct user into the correct group ?

I'm a bit confused...

Cesare Giuliani

Marcin Latosiewicz · ‎08-21-2014

Cesare,

In ASA's terminology, a connection "lands" on tunnel-group. You need to make sure, either via tunnel-group-list of group-url that particular connection lands on particular group.

As far as I'm aware those connot be modified by RADIUS or other means.

Create a group alias and group-url for your Anyconnect connections... that'ss typically the best.

https://blabla.mydomain.tld/ will be your normal site.

https://blabla.mydomain.tld/Anyconnect can you your Anyconnect URL.

Makes sense?

M.

cesaregiuliani · ‎08-21-2014

Ok, it makes sense.

Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?

Thank you again for your precious and kind help, and for your patience as well!

Cesare Giuliani

Marcin Latosiewicz · ‎08-22-2014

Cesare,

I have never seen it working.

I know the attribute you speak of is sent during access requests to the server (in case server has per tunnel-group settings for users).

Not sure if sending it from server will change anything, feel free to try.

Debugs to be run during that try:

debug aaa common 100

debug radius

M.

cesaregiuliani · ‎08-25-2014

Ok. I got it working using 2 different tunnel groups and selecting them via drop down menu. I'll check in the next days if the "group policy trick" is enough to avoid "kaisaron78" to log into SSL VPN and "manintra" to set up an AnyConnect session.

Update : using a drop down list to select the tunnel group in fact allows both users to access both connections and that's exactly what I NEED to avoid.

I have 2 more questions to ask both regarding SSL VPN:

1) is it possible to access ASA ASDM over an SSL Clientless VPN connection ? How do I set up that ?

2) I have 3 IPMI websites. I can access those sites from SSL Clientless VPN, however some functionalities such as remote KVM (a Java based remote console applet downloaded from the IPMI interface based on a sort-of-VNC) simply doesn't work. Is there a way to tunnel IPMI KVM over SSL Clientless ?

Thank you again for your precious help!! ^^

Cesare Giuliani

Marcin Latosiewicz · ‎08-25-2014

Cesare,

For users trying to access incorrect profile have a look at group-lock feature AND radius attribute. You can make sure users are locked in to particular group.

For both of those questions you list, try smart tunnel, no I have not tried using any of those in that way. Or ideally, start a new thread, people with different experiences might pitch in.

From experience, people tend not to look beyond first few posts in a thread... unless they are devoted :D

M.