Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restricting access to AnyConnect by userid

My customer has ASA 8.2, and is setting up a webvpn portal.  He would like to allow some users to use AnyConnect, but others would onky e allowed clientless access.  He is using NT authentication.  I have set up two different group policies, which doi what he wants, and matching tunnel groups, but I don't see an obvious way to force one set of users onto one tunnel, and another set onto the other.  Using group-url as security-through-obscurity was the onky thing I could come up with.  Is there a way to do what he wants?  Thanks.

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Restricting access to AnyConnect by userid

The group membership from AD would be the "memberOf" attribute, and if you run "debug ldap 255" on the ASA firewall whilst trying to authenticate, it will provide you with all the LDAP attributes, and look for the full path of group membership via the "memberOf" attribute.

Here is another sample configuration that might help further (check out the output of "debug ldap 255" at the bottom, and the highlighted "memberOf" attribute):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

(From the above example, you would need to map the following memberOf attribute: "CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com")

You could obtain your organization full LDAP path memberOf attribute via the "debug ldap 255" output on ASA.

Hope that helps.

4 REPLIES
Cisco Employee

Re: Restricting access to AnyConnect by userid

Sure, you can use LDAP attribute mapping to assign user to specific group-policy.

Here is a sample configuration on LDAP attribute mapping for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope that helps.

New Member

Re: Restricting access to AnyConnect by userid

Jennifer,

Thanks, this helps, but I think the user would want to set up group memberships in AD, and use that membership to control group-policy.  Is there doc on the MS AD schema that would define the group-membership structure, and how to pull specific groups out of that via the attribute maps?  We could use the example as given for an either-or group membership to meet the immediate requirement, but I'm sure they'll want to expand on that later.

Thanks again.

Cisco Employee

Re: Restricting access to AnyConnect by userid

The group membership from AD would be the "memberOf" attribute, and if you run "debug ldap 255" on the ASA firewall whilst trying to authenticate, it will provide you with all the LDAP attributes, and look for the full path of group membership via the "memberOf" attribute.

Here is another sample configuration that might help further (check out the output of "debug ldap 255" at the bottom, and the highlighted "memberOf" attribute):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

(From the above example, you would need to map the following memberOf attribute: "CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com")

You could obtain your organization full LDAP path memberOf attribute via the "debug ldap 255" output on ASA.

Hope that helps.

New Member

Re: Restricting access to AnyConnect by userid

Jennifer,

Thanks, that's exactly what I needed.

Regards,

Mike Flanigan

460
Views
0
Helpful
4
Replies