Cisco ASA LDAP Authentication and Default Group Policy
Hi, I'm running an ASA 5510 with 8.4(3) code. My remote access tunnel-group is authenticating to an Active Directory ldap server with an attribute map to assign group policy. What I would like to accomplish is that if the user is not a member of any of the groups in the attribute map, the client will disconnect or not connect at all. Is this possible?
As it presently stands, the ldap authentication mechanism will connect the client as long as the username/password are valid, and if the user is not a member of any of the groups in the attribute map, they are assigned to the default group policy.
Relevant config portions below, thanks.
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
authentication-server-grou
tunnel-group vpn_group webvpn-attributes
group-alias xxxxxx enable
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 192.168.183.65
ldap-base-dn DC=xxxxxx,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map ldap-map
aaa-server ActiveDirectory (inside) host 192.168.183.64
ldap-base-dn DC=xxxxxx,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map ldap-map
ldap attribute-map ldap-map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=xxxxxx VPN Admin,OU=Groups,DC=xxxxxx,
map-value memberOf "CN=xxxxxx VPN Dial-in Global,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
group-policy DfltGrpPolicy attributes
wins-server value 192.168.183.16 192.168.183.65
dns-server value 192.168.183.16 192.168.183.65
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value xxxxxx.net
address-pools value vpnpool
webvpn
anyconnect profiles value AdminProfile type user
As it presently stands, the ldap authentication mechanism will connect the client as long as the username/password are valid, and if the user is not a member of any of the groups in the attribute map, they are assigned to the default group policy.
Relevant config portions below, thanks.
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
authentication-server-grou
tunnel-group vpn_group webvpn-attributes
group-alias xxxxxx enable
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 192.168.183.65
ldap-base-dn DC=xxxxxx,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map ldap-map
aaa-server ActiveDirectory (inside) host 192.168.183.64
ldap-base-dn DC=xxxxxx,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map ldap-map
ldap attribute-map ldap-map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=xxxxxx VPN Admin,OU=Groups,DC=xxxxxx,
map-value memberOf "CN=xxxxxx VPN Dial-in Global,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx
group-policy DfltGrpPolicy attributes
wins-server value 192.168.183.16 192.168.183.65
dns-server value 192.168.183.16 192.168.183.65
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value xxxxxx.net
address-pools value vpnpool
webvpn
anyconnect profiles value AdminProfile type user
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER