Hi,I believe you need to

Charlie Dick · ‎07-30-2014

I am trying to use a custom LDAP attribute (389 on centos) to enable or disable VPN access. I know this could be done by OU groups but I have my reasons. I created the custom attribute (usesvpn) as a boolean and it works within LDAP. I created a group-policy access_null with 0 simultaneous connections and vpntunnel with simultaneous connections. I also created an attribute-map which I connected to the aaa-server. My issue is it don't work and even if usesvpn is FALSE the connection is still established even though the log file shows it reading the value but selecting the wrong group policy.

Thank you

Charlie

== Log File ==

7

Jul 30 2014

11:30:07

734003

DAP: User ******, Addr x.x.x.x : Session Attribute aaa.cisco.grouppolicy = vpntunnel

7

Jul 30 2014

11:30:07

734003

DAP: User ****** , Addr x.x.x.x : Session Attribute aaa.ldap.usesvpn = FALSE

== configurations excerpts ==

ldap attribute-map VPN_Test

map-name usesvpn Group-Policy
map-value usesvpn FALSE access_null
map-value usesvpn TRUE vpntunnel

aaa-server UKLDAP protocol ldap
aaa-server UKLDAP (ServerLan) host x.x.x.x
ldap-base-dn ou=Users,dc=mycompany,dc=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn cn=Directory Manager
ldap-attribute-map VPN_Test

tunnel-group vpntunnel general-attributes

address-pool vpntunnel_pool

authentication-server-group UKLDAP

default-group-policy vpntunnel

nkarthikeyan · ‎07-30-2014

Hi,

I believe you need to tweak the configuration little more to get this done...... map-name and policies needs to tweaked a bit to match right group policy for you while checking....

The below mentioned document will give you the better info to achieve your requirement...

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards

Karthik

Charlie Dick · ‎07-31-2014

Thank you this is a helpful article and I had consulted it when setting up but I had not run the debug. Having check the article I then ran it the debug and got what looks like a successful output but my access_null doesn't seem to have an effect as I connect anyway. I attached an edited screenshot of the result. I have checked and access_ null has 0 simultaneous logins so surely I should get kicked out. Can you suggest anything else I should be looking at?

Regards

Charlie

Dinesh Moudgil · ‎07-31-2014

Hi Charlie,

Debug clearly show that user gets "usesvpn" value as False and gets the group-policy "access-null".

In the configuration ,

tunnel-group vpntunnel general-attributes

address-pool vpntunnel_pool

authentication-server-group UKLDAP

default-group-policy vpntunnel

Have you tried using "access_null " as default-group policy ?
Although user specific group-policy takes preference but if you wish to deploy Ldap based attribute mapping , then we generally tend to use "access_null " as default group-policy and then allow the user specific policy to be given via LDAP attribute map.

Please try the following and share the results :-

tunnel-group vpntunnel general-attributes

no default-group-policy vpntunnel

default-group-policy access_null

Ref:-http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#cli

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Charlie Dick · ‎07-31-2014

Good Afternoon,

I tried your suggestion and set access_nul as the default and now everyone is excluded. I have run tow tests one with my user name charlie.dick that should have access and chadic who should not. Although it looks as if the correct policies are being selected but not applied.

Thanks

Charlie

The debug is as follows:

UK01ciscoasa#

[199] Session Start

[199] New request Session, context 0xad84e200, reqType = Authentication

[199] Fiber started

[199] Creating LDAP context with uri=ldap://x.x.x.x:389

[199] Connect to LDAP server: ldap://x.x.x.x:389, status = Successful

[199] supportedLDAPVersion: value = 2

[199] supportedLDAPVersion: value = 3

[199] Binding as Directory Manager

[199] Performing Simple authentication for Directory Manager to x.x.x.x

[199] LDAP Search:

Base DN = [ou=Users,dc=company,dc=local]

Filter = [cn=charlie.dick]

Scope = [SUBTREE]

[199] User DN = [uid=charlie.dick,ou=Users,dc=company,dc=local]

[199] Server type for x.x.x.x unknown - no password policy

[199] Binding as charlie.dick

[199] Performing Simple authentication for charlie.dick to x.x.x.x

[199] Processing LDAP response for user charlie.dick

[199] Authentication successful for charlie.dick to x.x.x.x

[199] Retrieved User Attributes:

[199] objectClass: value = posixAccount

[199] objectClass: value = top

[199] objectClass: value = inetOrgPerson

[199] objectClass: value = organizationalPerson

[199] objectClass: value = person

[199] objectClass: value = Products

[199] gidNumber: value = 0

[199] givenName: value = Charlie

[199] sn: value = Dick

[199] uid: value = charlie.dick

[199] homeDirectory: value = /

[199] cn: value = charlie.dick

[199] uidNumber: value = 17067

[199] mail: value = charlie.dick@company.com

[199] usesvpn: value = TRUE

[199] mapped to Group-Policy: value = vpntunnel

[199] mapped to LDAP-Class: value = vpntunnel

[199] displayName: value = Charlie Dick

[199] userPassword: value = {SHA}w790gzjmkUsyuAj9Vc/tscn6tPs=

[199] Fiber exit Tx=339 bytes Rx=722 bytes, status=1

[199] Session End

[202] Session Start

[202] New request Session, context 0xad84e200, reqType = Authentication

[202] Fiber started

[202] Creating LDAP context with uri=ldap://x.x.x.x:389

[202] Connect to LDAP server: ldap://x.x.x.x:389, status = Successful

[202] supportedLDAPVersion: value = 2

[202] supportedLDAPVersion: value = 3

[202] Binding as Directory Manager

[202] Performing Simple authentication for Directory Manager to x.x.x.x

[202] LDAP Search:

Base DN = [ou=Users,dc=company,dc=local]

Filter = [cn=chadic]

Scope = [SUBTREE]

[202] User DN = [uid=chadic,ou=Users,dc=company,dc=local]

[202] Server type for x.x.x.x unknown - no password policy

[202] Binding as chadic

[202] Performing Simple authentication for chadic to x.x.x.x

[202] Processing LDAP response for user chadic

[202] Authentication successful for chadic to x.x.x.x

[202] Retrieved User Attributes:

[202] objectClass: value = posixAccount

[202] objectClass: value = top

[202] objectClass: value = inetOrgPerson

[202] objectClass: value = organizationalPerson

[202] objectClass: value = person

[202] objectClass: value = Products

[202] gidNumber: value = 65534

[202] givenName: value = cha

[202] sn: value = cha

[202] usesvpn: value = FALSE

[202] mapped to Group-Policy: value = access_null

[202] mapped to LDAP-Class: value = access_null

[202] displayName: value = chadic

[202] uid: value = chadic

[202] homeDirectory: value = /

[202] cn: value = chadic

[202] uidNumber: value = 47115

[202] userPassword: value = {SSHA}g8QV5Yo9rKriXS9Tpl+5PzR05aIOPfZNsNopaw==

[202] Fiber exit Tx=327 bytes Rx=672 bytes, status=1

[202] Session End

Dinesh Moudgil · ‎07-31-2014

Hi Charlie,

I don't see any issues with attribute mapping.
Can you try removing the attribute mapping and undoing the no_access default group-policy and see if plain LDAP auth works or not.
This will rule out whether the issue is with LDAP attributes or Anyconnect VPN configuration.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Charlie Dick · ‎08-01-2014

Plain LDAP authentication works perfectly. It looks like the mapped policies are being ignored.

Regards

Charlie

Charlie Dick · ‎08-27-2014

I think I figured out the issue. In my system I had the group policy vpntunnel that allows access inheriting its values from the default group policy (3 simultaneous). This did not work, however, when I attributed a value to the group policy I was able to succeed in connecting.

It would seem if the default policy for the VPN profile is the access_nul i.e. 0 connections then the mapped group policy (vpntunnel) inherited the 0 instead of the default group policy of 3.

The policies were originally created using the GUI and the GUI defaults to inherit for simultaneous connections and I assumed that meant it had inherited from the default policy.

It make sense to me but it is not what I expected. I suspect this is a newbie error.

In any case a big thank you guys for your help in debugging this -- it has been an education.

Blessing

Charlie

Dinesh Moudgil · ‎08-27-2014

Hi Charlie,

I am glad it is working for you.
The order of the preference for the attributes is :-

1. DAP
2. User's attributes
3. User's group-policy.
4. Tunnel-group's default group-policy.
5. Default group-policy (DfltGrpPolicy)

Since we had attribute mapping pushing the group-policy for the user , so the attribute (simultaneous login ) would be taken firstly from the ldap pushed group-policy .
If it is not present there , it would be taken from tunnel-group's default group-policy (access_nul in this case).
If that is not present there as well , then Default group-policy DfltGrpPolicy (ASAs default group-policy ) would be called upon to provide the parameter value.
Thus , we need to make sure that we define simultaneous login in the LDAP pushed group-policy to avoid issues.

HTH

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

nkarthikeyan · ‎07-31-2014

can u cross verify in your server as well?... because the attributes are case sensitive....

Please do so with initial step by step to cross verify that...

Regards

Karthik

Charlie Dick · ‎08-19-2014

Good afternoon,

I have an update on the problem that I been having. (Back after a holiday.) I have figured out that using the ADSM gui the attribute mapping does not happen. I have used the cli to check the mapping. I am still having problems I have run both the debug and sh session commands and got the following results.

It looks like the mapping is functioning but being selecting but not applied. If I set the default group policy to nul access I can't not connect even if the mapping should be providing the vpntunnel policy. I have a question about the connection profile (tunnel Group) Lock (I don't understand this function), does this prevent a changing of policies?

Thanks for any help

Charlie

ciscoasa# debug ldap 255
[290] Session Start
[290] New request Session, context 0xad84da70, reqType = Authentication
[290] Fiber started
[290] Creating LDAP context with uri=ldap://192.168.70.132:389
[290] Connect to LDAP server: ldap://192.168.70.132:389, status = Successful
[290] supportedLDAPVersion: value = 2
[290] supportedLDAPVersion: value = 3
[290] Binding as Directory Manager
[290] Performing Simple authentication for Directory Manager to 192.168.70.132
[290] LDAP Search:
        Base DN = [ou=Users,dc=company,dc=local]
        Filter = [cn=chadic]
        Scope   = [SUBTREE]
[290] User DN = [uid=chadic,ou=Users,dc=company,dc=local]
[290] Server type for 192.168.70.132 unknown - no password policy
[290] Binding as chadic
[290] Performing Simple authentication for chadic to 192.168.70.132
[290] Processing LDAP response for user chadic
[290] Authentication successful for chadic to 192.168.70.132
[290] Retrieved User Attributes:
[290]   objectClass: value = posixAccount
[290]   objectClass: value = top
[290]   objectClass: value = inetOrgPerson
[290]   objectClass: value = organizationalPerson
[290]   objectClass: value = person
[290]   objectClass: value = Products
[290]   gidNumber: value = 65534
[290]   givenName: value = cha
[290]   sn: value = cha
[290]   usesvpn: value = FALSE
[290]           mapped to Group-Policy: value = access_null
[290]           mapped to LDAP-Class: value = access_null
[290]   displayName: value = chadic
[290]   uid: value = chadic
[290]   homeDirectory: value = /
[290]   cn: value = chadic
[290]   uidNumber: value = 47115
[290]   userPassword: value = {SSHA}
[290] Fiber exit Tx=327 bytes Rx=672 bytes, status=1
[290] Session End

ciscoasa# sh vpn-sessiondb detail svc

Session Type: AnyConnect Detailed

Username     : chadic                      Index        : 187
Assigned IP : 10.10.10.1                                        Public IP    : 192.168.70.77
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : RC4                            Hashing      : SHA1
Bytes Tx     : 114081                                 Bytes Rx     : 86323
Pkts Tx      : 384                                         Pkts Rx      : 480
Pkts Tx Drop : 0                                         Pkts Rx Drop : 0
Group Policy : vpntunnel                           Tunnel Group : vpntunnel
Login Time   : 11:37:55 GMT/BDT Tue Aug 19 2014
Duration     : 0h:00m:48s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                                  VLAN         : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID    : 187.1
Public IP    : 192.168.70.77
Encryption   : RC4                                    Hashing      : SHA1
Encapsulation: TLSv1.0                           TCP Dst Port : 443
Auth Mode    : userPassword
Idle Time Out: 30 Minutes                         Idle TO Left : 29 Minutes
Client Type : AnyConnect
Client Ver   : AnyConnect Windows 3.1.00495
Bytes Tx     : 23262                                   Bytes Rx     : 5915
Pkts Tx      : 28                                          Pkts Rx      : 11
Pkts Tx Drop : 0                                        Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID    : 187.2
Assigned IP : 10.10.10.1                          Public IP    : 192.168.70.77
Encryption   : RC4                                     Hashing      : SHA1
Encapsulation: TLSv1.0                            TCP Src Port : 13705
TCP Dst Port : 443                                    Auth Mode    : userPassword
Idle Time Out: 30 Minutes                         Idle TO Left : 30 Minutes
Client Type : SSL VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Windows 3.1.00495
Bytes Tx     : 90130                                   Bytes Rx     : 81008
Pkts Tx      : 356                          Pkts Rx      : 475
Pkts Tx Drop : 0                                 Pkts Rx Drop : 0

NAC:
Reval Int (T): 0 Seconds                      Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds                     EoU Age(T)   : 53 Seconds
Hold Left (T): 0 Seconds                       Posture Token:
Redirect URL :

Dinesh Moudgil · ‎08-19-2014

Hi,

The tunnel-group lock allows you to push the connection to specific tunnel-group rather thatn group-policy based on AD database.
Please refer this document for more clarification.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Using custom LDAP attributes for VPN group policy