Cisco ASA LDAP Authentication and Default Group Policy

Hi, I'm running an ASA 5510 with 8.4(3) code. My remote access tunnel-group is authenticating to an Active Directory ldap server with an attribute map to assign group policy. What I would like to accomplish is that if the user is not a member of any of the groups in the attribute map, the client will disconnect or not connect at all. Is this possible?

As it presently stands, the ldap authentication mechanism will connect the client as long as the username/password are valid, and if the user is not a member of any of the groups in the attribute map, they are assigned to the default group policy.

Relevant config portions below, thanks.

tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
 authentication-server-group ActiveDirectory LOCAL
tunnel-group vpn_group webvpn-attributes
 group-alias xxxxxx enable
tunnel-group vpn_group ipsec-attributes
 ikev1 pre-shared-key *****

aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 192.168.183.65
 ldap-base-dn DC=xxxxxx,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxx,DC=net
 server-type microsoft
 ldap-attribute-map ldap-map
aaa-server ActiveDirectory (inside) host 192.168.183.64
 ldap-base-dn DC=xxxxxx,DC=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxx,DC=net
 server-type microsoft
 ldap-attribute-map ldap-map
 
ldap attribute-map ldap-map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=xxxxxx VPN Admin,OU=Groups,DC=xxxxxx,DC=net" admin_policy
  map-value memberOf "CN=xxxxxx VPN Dial-in Global,OU=Groups,DC=xxxxxx,DC=net" employee_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
  map-value memberOf "CN=xxxxxx VPN xxxxxx,OU=Groups,DC=xxxxxx,DC=net" xxxxxx_policy
 
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.183.16 192.168.183.65
 dns-server value 192.168.183.16 192.168.183.65
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 default-domain value xxxxxx.net
 address-pools value vpnpool
 webvpn
  anyconnect profiles value AdminProfile type user
Syntax-MontrealAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CyberwrathCommented:
I have not seen what your asking done and I am suspecting its not possible as the functionality your seeing is the asa using the default policy for its intended purpose. While that might be undesirable there are ways to ensure the users without groups do not get access to anything  I suspect if you can do the above (nice config btw) you know how to accomplish what your asking, if not reply back and I can help.

Thank you!
0
Syntax-MontrealAuthor Commented:
Thanks for the comment Cyber, I just found the solution: set simultaneous-vpn-logins value to 0 for the DfltGrpPolicy, then you can't connect unless you match a value on the attribute map.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Syntax-MontrealAuthor Commented:
The solution I found was the correct answer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.