Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
0
Helpful
7
Replies

Clientless SSL VPN Group Policy Issue

jlizzio
Level 1
Level 1

‎02-18-2010 04:38 PM - edited ‎02-21-2020 04:30 PM

Hello,

I recently enabled aliases and have them associated with the connection profiles I have defined. The problem I'm running into is regardless of what group I select from the drop down I always get dumped into the same group policy. The connection in the logs shows up correctly but the policy is always the same.

This is one of those problems I think I've just looked at too long and now I'm missing the obvoious.

Any help that someone can provide would be greatly appreciated.

Thanks,

-John

Labels:
0 Helpful
7 Replies 7

Todd Pula
Level 7
Level 7

‎02-19-2010 09:35 AM

Sounds like you have a group policy assigned to your user either locally on the ASA or via RADIUS attribute 25 or LDAP mapping.  What type of authentication are you using on the tunnel groups you are testing with?

0 Helpful

jlizzio
Level 1
Level 1
In response to Todd Pula

‎02-19-2010 10:06 AM

I guess that would help right.

Users are being authenticated via ldap. I currently have one map definied and 3 different map values. What seems to be happening is if I have an account in each map value it associates with the first one regardless of the group-alias I select at login.

Thanks,

-John

0 Helpful

Todd Pula
Level 7
Level 7
In response to jlizzio

‎02-19-2010 11:08 AM

That is a limitation of the LDAP map feature.  It will only look at the first memberOf attribute value.  DAP doesn't have this limitation but in its current form cannot assign group policies within itself.  In this case, the session would have to be properly segmented via the tunnel-group/group-policy association methods in order to work.

0 Helpful

jimsiff
Level 1
Level 1
In response to Todd Pula

‎02-21-2010 02:15 AM

Topula,

So, consider the following LDAP Map:

memberOf "VPN-Employees" > Group Policy "Employees"

memberOf "VPN-Contractors" > Group Policy "Contractors"

memberOf "VPN-Executives" > Group Policy "Executives"

Are you saying that only the first memberOf mapping is ever evaluated?  As in, if a user is a member of VPN-Contractors, they will never match because VPN-Contractors is not the first memberOf attribute in the list?

Or are you saying that only the first matching memberOf attribute is evaluated?  As in, If a user is a member of VPN-Employees and VPN-Executives, only the VPN-Employees memberOf attribute will match?

Thanks for the clarification,


Jim

0 Helpful

Todd Pula
Level 7
Level 7
In response to jimsiff

‎02-21-2010 04:58 AM

The ldap-attribute-map feature has a limitation with mult-valued AD attributes such as memberOf.  If a user is a memberOf of several AD groups, the ASA will only parse or trigger on the 1st one.  DAP doesn't have this limitation but DAP can't assign authorization attributes in its current form so you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies.  Based on your sample above, only your Employees group would be matched on.

0 Helpful

jlizzio
Level 1
Level 1
In response to Todd Pula

‎02-22-2010 02:25 PM

Sorry for the delay in my response. I had the flu something fierce.

" you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies"

What's the best way to go about this? Is there a doc or a post you can reference to help?

0 Helpful

Todd Pula
Level 7
Level 7
In response to Todd Pula

‎02-22-2010 02:30 PM

The DAP Deployment Guide goes over the feature in detail and gives some examples of policy matching of LDAP attributes such as memberOf.  

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

0 Helpful
Customers Also Viewed These Support Documents