04-08-2014 12:23 AM - edited 02-21-2020 07:35 PM
Hi there, I was hoping someone can point me in the right direction here. I have created a VPN connection profile to match our anyconnect clients coming in on SSL. I would like to use membership LDAP group as a pre-requisite for authentication. I found a few online pages on what to do for this so I have followed them. Unfortunately my connection profile seems to allow access to any user in the ldap database, not just those in the ldap group. I will post the relevant bits of the config here in the hope someone can point out my error!
The idea of the config is to have the 2 default connections map to a noaccess policy which has 0 simultaneous logins and the anyconnect ssl connection profile (SSL_VPN) map to the group_policy_SSL_VPN group policy.
ip local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51-10.0.5.254 mask 255.255.255.0
nat (inside_int,any) source static NetworkGroup_Internal_networks NetworkGroup_Internal_networks destination static Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 no-proxy-arp route-lookup
ldap attribute-map AuthUsers
map-name memberOf Group-Policy
map-value memberOf memberOf CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group
ynamic-access-policy-record DfltAccessPolicy
aaa-server CONTOSOVIC_LDAP protocol ldap
aaa-server CONTOSOVIC_LDAP (inside_int) host 10.0.0.45
ldap-base-dn DC=CONTOSO,DC=group
ldap-group-base-dn DC=CONTOSO,DC=group
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_LDAP_USER,OU=Network,OU=Resource Accounts,DC=CONTOSO,DC=group
server-type microsoft
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
ssl trust-point ASDM_TrustPoint4 outside_int
webvpn
enable outside_int
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy NoAccess internal
group-policy NoAccess attributes
wins-server none
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value CONTOSO.group
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy GroupPolicy_SSL_VPN internal
group-policy GroupPolicy_SSL_VPN attributes
wins-server none
dns-server value 10.0.0.45
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-lock value SSL_VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value CONTOSO.group
split-tunnel-all-dns enable
address-pools value CONTOSOVICVPN_DHCP_POOL
tunnel-group DefaultRAGroup general-attributes
authorization-server-group CONTOSOVIC_LDAP
default-group-policy NoAccess
authorization-required
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy NoAccess
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
address-pool CONTOSOVICVPN_DHCP_POOL
authentication-server-group CONTOSOVIC_LDAP
authorization-server-group CONTOSOVIC_LDAP
default-group-policy GroupPolicy_SSL_VPN
authorization-required
tunnel-group SSL_VPN webvpn-attributes
radius-reject-message
proxy-auth sdi
group-alias CONTOSOvicvpn.CONTOSOgroup.com.au enable
Solved! Go to Solution.
04-09-2014 05:25 AM
You need to specify NoAccess group policy as the default group policy for SSL_VPN tunnel group.
Don't forget to rate helpful answers. :)
04-08-2014 07:03 AM
I am learning on using AAA with LDAP on ASA so hopefully I can help you on this one.
From what I can see from above output, I see that you are missing the command to attach the LDAP map that you have created to the LDAP AAA server and I think that your map-value is set incorrectly. See following example from Cisco about configuring LDAP attributes map
HTH,
04-09-2014 12:30 AM
Hi Rudy, thanks for replying. I recreated the attribute map, however I am running version 8.4(4) and IETF-Radius-Class has been superceeded by "Group-Policy"
Here is my current config: the remaining parts are unchanged
ldap attribute-map LDAP_Group
map-name memberOf Group-Policy
map-value memberOf CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group SSL_VPN
aaa-server CONTOSOVIC_LDAP protocol ldap
aaa-server CONTOSOVIC_LDAP (inside_int) host 10.0.0.45
ldap-base-dn DC=CONTOSO,DC=group
ldap-group-base-dn DC=CONTOSO,DC=group
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_LDAP_USER,OU=Network,OU=Resource Accounts,DC=CONTOSO,DC=group
server-type microsoft
ldap-attribute-map LDAP_Group
webvpn
enable outside_int
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy NoAccess internal
group-policy NoAccess attributes
wins-server none
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value CONTOSO.group
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy GroupPolicy_SSL_VPN internal
group-policy GroupPolicy_SSL_VPN attributes
wins-server none
dns-server value 10.0.0.45
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-lock value SSL_VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value CONTOSO.group
split-tunnel-all-dns enable
address-pools value CONTOSOVICVPN_DHCP_POOL
tunnel-group DefaultRAGroup general-attributes
authorization-server-group CONTOSOVIC_LDAP
default-group-policy NoAccess
authorization-required
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy NoAccess
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
address-pool CONTOSOVICVPN_DHCP_POOL
authentication-server-group CONTOSOVIC_LDAP
authorization-server-group CONTOSOVIC_LDAP
default-group-policy GroupPolicy_SSL_VPN
authorization-required
tunnel-group SSL_VPN webvpn-attributes
radius-reject-message
proxy-auth sdi
group-alias CONTOSOvicvpn.CONTOSOgroup.com.au enable
Unfortunately it still allows any AD user access not just those who are members of CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group SSL_VPN
I ran a debug on the ASA during a test login and got the following output:
[322] memberOf: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group
[322] mapped to Group-Policy: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group
[322] mapped to LDAP-Class: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group
It looks like its applying the "Group-Policy" mapping to the group even though its not the correct AD Group?
When I recreated the ldap attribute-map LDAP_Group I have tried assigning it to both the Group policy GroupPolicy_SSL_VPN and the connection profile SSL_VPN (as shown in the config) but it was the same result - which is the correct configuration?
Any ideas on this gratefully received, its driving me a bit nuts!
Thanks!
Nick
04-09-2014 02:59 AM
Hi Nick, that debug output tells me that it's not assigning CN=TEST to any group-policy. As you don't have that user mapped to any group policy, so it is being ignored despite the output looks like it's being assigned to the Group-Policy.
If it does assign it to a group policy I believe it should look like following:
mapped to Group-Policy: value = SSL_VPN
Have you tried testing the LDAP using CN=NETWORK_CONTOSO_ASA_VPN_DLSG user? On the debug output it should say that it is assigned to SSL_VPN group policy.
04-09-2014 04:29 AM
Hi Rudy, yes it does:
[341] memberOf: value = CN=NETWORK_ABN_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=ABN,OU=Security,OU=Groups,
[341] mapped to Group-Policy: value = SSL_VPN
[341] mapped to LDAP-Class: value = SSL_VPN
Now I guess the question is why does the NoAccess policy not get applied by default if nothing matches for the SSL_VPN policy? What config do I need to deny access to everything that doesn't match the SSL policy? I have set the NoAccess policy to 0 simultaneous logins - just need to get that to match everything other than SSL_VPN now..
04-09-2014 05:25 AM
You need to specify NoAccess group policy as the default group policy for SSL_VPN tunnel group.
Don't forget to rate helpful answers. :)
04-21-2014 10:09 PM
Thanks Rudy, much appreciated!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: