Cisco AnyConnect - Certificate Authentication with LDAP group lookup
I am trying to setup a remote access solution using Cisco AnyConnect. My scenario is as follows:
- I have 3 different classes of users (defined by group polices on the ASA). Each group gets an IP address from one of 3 available pools
- These 3 ASA groups are mapped to 3 different LDAP groups. Meaning, a domain user belonging a specific LDAP group maps to his respective ASA group.
- The user authentication is certificate based (no username and password)
- I have created only 1 tunnel-group, with the default group policy applied. This was done so that there is no specific group-policy is explicity applied to the tunnel group. As I have 3 group policies and based on which LDAP user connects, he will get his specific group policy settings from the ASA.
The solution works 100% when I use username/password authentication. A LDAP user gets mapped to his specific group-policy on the ASA and get an IP address from his pool.
When I change the authentication to certificate based, the solutions does not work. I get an error whereby the ASA is not able to assign an IP address to the user. I see that the certificate is authenticated correctly, however at the last part of address assignment, it fails.
I think the issue is that the LDAP group lookup fails when the authentication is certificate based. I am no LDAP expert, so I am not sure if the LDAP-to-ASA Group mapping only works if the authentication is username/password based.
I cannot ascertain LDAP group assignment with LDAP authentication when using certificates though. All I can confirm is that the certificate is validated, hence the VPN session is established. It seems like the LDAP mapping to RADIUS class is not happening when using certificates.
Remember, I am using the using the DfltGrpPolicy under the tunnel-group; the user must gets his IP address from his specific group policy which is mapped to the LDAP groups. The IP address assignment fails as the ASA cannot tie this mapping toegather when certificates are being used.
I am not sure if this mapping should include additional fields when certificates are being used.
My LDAP attribute mapping looks something like this:
map-value memberOf "CN=ZA-SG COS GOLD,CN=Users,DC=xxx,DC=com" GRP-GOLD
LDAP Group: ZA-SG COS GOLD
Group-Policy on ASA: GRP-GOLD
You mention certificate to profile mapping - is this done differently from my mapping above?
Dont know if you managed to get this working, but if u are still interested I have :)
What u need to do is enable LDAP Authorization in addition to certificate authentication.
U need to create a LDAP server group, as u would with regular LDAP authentication.
Then u specify this in the authorization section in the connection profile.
Then u need to get the username from the certificate.
This is done by selecting "use script to select username"
click Add and in the new window just select script parameters and select value for Username: User Principal Name (UPN) and No filtering.
Now u should be able to extract the group memebership from the user in AD and assign the correct group policy based on this information with a regular LDAP attribute mapping.
Worked for me :)
Forgot to mention that the LDAP server definition needs to have the Naming Attribute: userPrincipalName and not the usual sAMAccountName, since u are sending UPN (email@example.com) to the LDAP servers.
Allow me to resurrect this old post. I currently got an anyconnect profile authenticated through ASA local CA Server, so I must manually generate the user on ASA and then the user is able to request certificate from it´s anyconnect client mobile device.
I must implement failover, but it doesn´t work when ASA si making local CA Server. So I know that I must change to an external CA, the question is if is it possible such as to combine ldap authentication (so I won´t create local users anymore) and certificate authentication?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...