Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Locking down Anyconnect authentication to AD Group

I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2

I've found the documentation on how to prevent logins using the  msNPAllowDialin attribute, but not how to base it on group membership (memberOf)

This is what I have configured:

ldap attribute-map AllowVPN
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN Users,OU=Groups,OU=City,OU=Country,DC=us,DC=mydom,DC=net" TESTGROUP

aaa-server ADAUTH (inside) host 10.1.1.1
 server-port 389
 ldap-base-dn DC=us,DC=mydom,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Public,OU=Service,OU=City,OU=Country,DC=us,DC=mydom,DC=net
 server-type microsoft
ldap-attribute-map AllowVPN

Do I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Locking down Anyconnect authentication to AD Group

Jeff (if I may),

You can do terminate/continue/banner options based on information received during different phases in DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Note "figured 6" indicating usage of "memberOf".

It requires some testing but DAP looks to me like a natural way to go.

Marcin

2 REPLIES
Cisco Employee

Locking down Anyconnect authentication to AD Group

Jeff (if I may),

You can do terminate/continue/banner options based on information received during different phases in DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Note "figured 6" indicating usage of "memberOf".

It requires some testing but DAP looks to me like a natural way to go.

Marcin

New Member

Locking down Anyconnect authentication to AD Group

Thanks, DAP does seem to be the way to go with this. I found a similar article to what you posted last night which confirmed the same type of screenshots.

I will just have to set time aside to update my policies on my ASA to take advantage of this. I guess as a best practice in the future, I need to make sure I update the DfltAccessPolicy to Terminate from the start, because I have a number of production services on my ASA which could be effected if I do change it now.

Thanks!

Jeff

3057
Views
0
Helpful
2
Replies
CreatePlease to create content