Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3622
Views
5
Helpful
6
Replies

CIsco Anyconnect VPN with LDAP AAA

Go to solution
Nick Currie
Level 1
Level 1

‎04-08-2014 12:23 AM - edited ‎02-21-2020 07:35 PM

Hi there, I was hoping someone can point me in the right direction here. I have created a VPN connection profile to match our anyconnect clients coming in on SSL. I would like to use membership LDAP group as a pre-requisite for authentication. I found a few online pages on what to do for this so I have followed them. Unfortunately my connection profile seems to allow access to any user in the ldap database, not just those in the ldap group. I will post the relevant bits of the config here in the hope someone can point out my error!

 

The idea of the config is to have the 2 default connections map to a noaccess policy which has 0 simultaneous logins and the anyconnect ssl connection profile (SSL_VPN) map to the group_policy_SSL_VPN group policy.

 

ip local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51-10.0.5.254 mask 255.255.255.0

nat (inside_int,any) source static NetworkGroup_Internal_networks NetworkGroup_Internal_networks destination static Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 no-proxy-arp route-lookup

ldap attribute-map AuthUsers
  map-name  memberOf Group-Policy
  map-value memberOf memberOf CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group

ynamic-access-policy-record DfltAccessPolicy

aaa-server CONTOSOVIC_LDAP protocol ldap
aaa-server CONTOSOVIC_LDAP (inside_int) host 10.0.0.45
 ldap-base-dn DC=CONTOSO,DC=group
 ldap-group-base-dn DC=CONTOSO,DC=group
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ASA_LDAP_USER,OU=Network,OU=Resource Accounts,DC=CONTOSO,DC=group
 server-type microsoft

no vpn-addr-assign aaa
no vpn-addr-assign dhcp

ssl trust-point ASDM_TrustPoint4 outside_int
webvpn
 enable outside_int
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy NoAccess internal
group-policy NoAccess attributes
 wins-server none
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
 default-domain value CONTOSO.group
 split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy GroupPolicy_SSL_VPN internal
group-policy GroupPolicy_SSL_VPN attributes
 wins-server none
 dns-server value 10.0.0.45
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
 group-lock value SSL_VPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 default-domain value CONTOSO.group
 split-tunnel-all-dns enable
 address-pools value CONTOSOVICVPN_DHCP_POOL

tunnel-group DefaultRAGroup general-attributes
 authorization-server-group CONTOSOVIC_LDAP
 default-group-policy NoAccess
 authorization-required
tunnel-group DefaultRAGroup webvpn-attributes
 radius-reject-message
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy NoAccess
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
 address-pool CONTOSOVICVPN_DHCP_POOL
 authentication-server-group CONTOSOVIC_LDAP
 authorization-server-group CONTOSOVIC_LDAP
 default-group-policy GroupPolicy_SSL_VPN
 authorization-required
tunnel-group SSL_VPN webvpn-attributes
 radius-reject-message
 proxy-auth sdi
 group-alias CONTOSOvicvpn.CONTOSOgroup.com.au enable

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Nick Currie

‎04-09-2014 05:25 AM

You need to specify NoAccess group policy as the default group policy for SSL_VPN tunnel group. 

Don't forget to rate helpful answers. :)

View solution in original post

6 Replies 6

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎04-08-2014 07:03 AM

I am learning on using AAA with LDAP on ASA so hopefully I can help you on this one.

From what I can see from above output, I see that you are missing the command to attach the LDAP map that you have created to the LDAP AAA server and I think that your map-value is set incorrectly. See following example from Cisco about configuring LDAP attributes map

HTH,

0 Helpful

Go to solution
Nick Currie
Level 1
Level 1
In response to Rudy Sanjoko

‎04-09-2014 12:30 AM

Hi Rudy, thanks for replying. I recreated the attribute map, however I am running version 8.4(4) and IETF-Radius-Class has been superceeded by "Group-Policy"

Here is my current config: the remaining parts are unchanged

ldap attribute-map LDAP_Group
  map-name  memberOf Group-Policy
  map-value memberOf CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group SSL_VPN

 aaa-server CONTOSOVIC_LDAP protocol ldap
aaa-server CONTOSOVIC_LDAP (inside_int) host 10.0.0.45
 ldap-base-dn DC=CONTOSO,DC=group
 ldap-group-base-dn DC=CONTOSO,DC=group
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ASA_LDAP_USER,OU=Network,OU=Resource Accounts,DC=CONTOSO,DC=group
 server-type microsoft
 ldap-attribute-map LDAP_Group
 
 webvpn
 enable outside_int
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy NoAccess internal
group-policy NoAccess attributes
 wins-server none
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value CONTOSO.group
 split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy GroupPolicy_SSL_VPN internal
group-policy GroupPolicy_SSL_VPN attributes
 wins-server none
 dns-server value 10.0.0.45
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
 group-lock value SSL_VPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 default-domain value CONTOSO.group
 split-tunnel-all-dns enable
 address-pools value CONTOSOVICVPN_DHCP_POOL

 tunnel-group DefaultRAGroup general-attributes
 authorization-server-group CONTOSOVIC_LDAP
 default-group-policy NoAccess
 authorization-required
tunnel-group DefaultRAGroup webvpn-attributes
 radius-reject-message
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy NoAccess
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
 address-pool CONTOSOVICVPN_DHCP_POOL
 authentication-server-group CONTOSOVIC_LDAP
 authorization-server-group CONTOSOVIC_LDAP
 default-group-policy GroupPolicy_SSL_VPN
 authorization-required
tunnel-group SSL_VPN webvpn-attributes
 radius-reject-message
 proxy-auth sdi
 group-alias CONTOSOvicvpn.CONTOSOgroup.com.au enable

 

Unfortunately it still allows any AD user access not just those who are members of CN=NETWORK_CONTOSO_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=CONTOSO,OU=Security,OU=Groups,DC=CONTOSO,DC=group SSL_VPN

 

I ran a debug on the ASA during a test login and got the following output:

[322]   memberOf: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group
[322]           mapped to Group-Policy: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group
[322]           mapped to LDAP-Class: value = CN=TEST SSO,OU=Miscellaneous,OU=Melbourne,OU=BOU,OU=Testing,DC=CONTOSO,DC=group

 

It looks like its applying the "Group-Policy" mapping to the group even though its not the correct AD Group?

When I recreated the ldap attribute-map LDAP_Group I have tried assigning it to both the Group policy GroupPolicy_SSL_VPN and the connection profile SSL_VPN (as shown in the config) but it was the same result - which is the correct configuration?

 

Any ideas on this gratefully received, its driving me a bit nuts!

 

Thanks!

Nick

 

 

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Nick Currie

‎04-09-2014 02:59 AM

Hi Nick, that debug output tells me that it's not assigning CN=TEST to any group-policy. As you don't have that user mapped to any group policy, so it is being ignored despite the output looks like it's being assigned to the Group-Policy.

If it does assign it to a group policy I believe it should look like following:

mapped to Group-Policy: value = SSL_VPN

Have you tried testing the LDAP using CN=NETWORK_CONTOSO_ASA_VPN_DLSG user? On the debug output it should say that it is assigned to SSL_VPN group policy. 

0 Helpful

Go to solution
Nick Currie
Level 1
Level 1
In response to Rudy Sanjoko

‎04-09-2014 04:29 AM

Hi Rudy, yes it does:

 

[341]   memberOf: value = CN=NETWORK_ABN_ASA_VPN_DLSG,OU=Network,OU=Resource,OU=ABN,OU=Security,OU=Groups,
[341]           mapped to Group-Policy: value = SSL_VPN
[341]           mapped to LDAP-Class: value = SSL_VPN

 

 

Now I guess the question is why does the NoAccess policy not get applied by default if nothing matches for the SSL_VPN policy? What config do I need to deny access to everything that doesn't match the SSL policy? I have set the NoAccess  policy to 0 simultaneous logins - just need to get that to match everything other than SSL_VPN now..

 

 

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Nick Currie

‎04-09-2014 05:25 AM

You need to specify NoAccess group policy as the default group policy for SSL_VPN tunnel group. 

Don't forget to rate helpful answers. :)

Go to solution
Nick Currie
Level 1
Level 1
In response to Rudy Sanjoko

‎04-21-2014 10:09 PM

Thanks Rudy, much appreciated!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents