Solved

Cisco ASA LDAP Authentication and Default Group Policy

Posted on 2012-03-27
3
2,010 Views
Last Modified: 2012-04-02
Hi, I'm running an ASA 5510 with 8.4(3) code. My remote access tunnel-group is authenticating to an Active Directory ldap server with an attribute map to assign group policy. What I would like to accomplish is that if the user is not a member of any of the groups in the attribute map, the client will disconnect or not connect at all. Is this possible?

As it presently stands, the ldap authentication mechanism will connect the client as long as the username/password are valid, and if the user is not a member of any of the groups in the attribute map, they are assigned to the default group policy.

Relevant config portions below, thanks.

tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
 authentication-server-group ActiveDirectory LOCAL
tunnel-group vpn_group webvpn-attributes
 group-alias xxxxxx enable
tunnel-group vpn_group ipsec-attributes
 ikev1 pre-shared-key *****

aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 192.168.183.65
 ldap-base-dn DC=xxxxxx,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxx,DC=net
 server-type microsoft
 ldap-attribute-map ldap-map
aaa-server ActiveDirectory (inside) host 192.168.183.64
 ldap-base-dn DC=xxxxxx,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxx,DC=net
 server-type microsoft
 ldap-attribute-map ldap-map
 
ldap attribute-map ldap-map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=xxxxxx VPN Admin,OU=Groups,DC=xxxxxx,DC=net" admin_policy
  map-value memberOf "CN=xxxxxx VPN Dial-in Global,OU=Groups,DC=xxxxxx,DC=net" employee_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
 
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.183.16 192.168.183.65
 dns-server value 192.168.183.16 192.168.183.65
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 default-domain value xxxxxx.net
 address-pools value vpnpool
 webvpn
  anyconnect profiles value AdminProfile type user
0
Comment
Question by:Syntax-Montreal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Assisted Solution

by:Cyberwrath
Cyberwrath earned 100 total points
ID: 37776031
I have not seen what your asking done and I am suspecting its not possible as the functionality your seeing is the asa using the default policy for its intended purpose. While that might be undesirable there are ways to ensure the users without groups do not get access to anything  I suspect if you can do the above (nice config btw) you know how to accomplish what your asking, if not reply back and I can help.

Thank you!
0
 

Accepted Solution

by:
Syntax-Montreal earned 0 total points
ID: 37777246
Thanks for the comment Cyber, I just found the solution: set simultaneous-vpn-logins value to 0 for the DfltGrpPolicy, then you can't connect unless you match a value on the attribute map.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
0
 

Author Closing Comment

by:Syntax-Montreal
ID: 37795111
The solution I found was the correct answer.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2012 r2 branch office DNS 2 61
logon script 9 76
SSG50 Firewall Rules 17 45
Windows 10 - Cisco Anyconnect Secure Mobility Client requires a reboot 6 60
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question