Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Clientless SSL VPN Group Policy Issue

Hello,

I recently enabled aliases and have them associated with the connection profiles I have defined. The problem I'm running into is regardless of what group I select from the drop down I always get dumped into the same group policy. The connection in the logs shows up correctly but the policy is always the same.

This is one of those problems I think I've just looked at too long and now I'm missing the obvoious.

Any help that someone can provide would be greatly appreciated.

Thanks,

-John

7 REPLIES

Re: Clientless SSL VPN Group Policy Issue

Sounds like you have a group policy assigned to your user either locally on the ASA or via RADIUS attribute 25 or LDAP mapping.  What type of authentication are you using on the tunnel groups you are testing with?

New Member

Re: Clientless SSL VPN Group Policy Issue

I guess that would help right.

Users are being authenticated via ldap. I currently have one map definied and 3 different map values. What seems to be happening is if I have an account in each map value it associates with the first one regardless of the group-alias I select at login.

Thanks,

-John

Re: Clientless SSL VPN Group Policy Issue

That is a limitation of the LDAP map feature.  It will only look at the first memberOf attribute value.  DAP doesn't have this limitation but in its current form cannot assign group policies within itself.  In this case, the session would have to be properly segmented via the tunnel-group/group-policy association methods in order to work.

New Member

Re: Clientless SSL VPN Group Policy Issue

Topula,

So, consider the following LDAP Map:

memberOf "VPN-Employees" > Group Policy "Employees"

memberOf "VPN-Contractors" > Group Policy "Contractors"

memberOf "VPN-Executives" > Group Policy "Executives"

Are you saying that only the first memberOf mapping is ever evaluated?  As in, if a user is a member of VPN-Contractors, they will never match because VPN-Contractors is not the first memberOf attribute in the list?

Or are you saying that only the first matching memberOf attribute is evaluated?  As in, If a user is a member of VPN-Employees and VPN-Executives, only the VPN-Employees memberOf attribute will match?

Thanks for the clarification,


Jim

Re: Clientless SSL VPN Group Policy Issue

The ldap-attribute-map feature has a limitation with mult-valued AD attributes such as memberOf.  If a user is a memberOf of several AD groups, the ASA will only parse or trigger on the 1st one.  DAP doesn't have this limitation but DAP can't assign authorization attributes in its current form so you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies.  Based on your sample above, only your Employees group would be matched on.

New Member

Re: Clientless SSL VPN Group Policy Issue

Sorry for the delay in my response. I had the flu something fierce.

" you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies"

What's the best way to go about this? Is there a doc or a post you can reference to help?

Re: Clientless SSL VPN Group Policy Issue

The DAP Deployment Guide goes over the feature in detail and gives some examples of policy matching of LDAP attributes such as memberOf.  

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

799
Views
0
Helpful
7
Replies