Cisco ASA 5520 anyconnect/SSL VPN connect to Microsoft AD with security groups

I have a cisco anyconnect vpn setup on my ASA connecting to a 2008 AD server.  Users can successfully login with their AD account to the vpn and access the networks that I specify.  What I actually need is for the users to be denied access if they are not part of a security group that I specify.  I have an ldap-attribute-map setup and I even debug the login process and can verify that it is indeed tagging the correct user with the attribute map info.  Here is the config..

ldap attribute-map STRMLINE-VPN
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=SSLAccess,CN=Users,DC=(dcname),DC=(dcname),DC=priv SSLAccess
  map-value memberOf FALSE NOACCESS
dynamic-access-policy-record NOACCESS
 action terminate
dynamic-access-policy-record SSLAccess
 priority 1
  svc ask none default svc
aaa-server LDAP-STRMLINE protocol ldap
 server-port 389
 ldap-base-dn DC=(dcname),DC=(dcname),DC=PRIV
 ldap-group-base-dn CN=SSLAccess,CN=Users,DC=(dcname),DC=(dcname),DC=priv
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=asaldap,cn=Users,dc=(dcname),dc=(dcname),dc=priv
 server-type microsoft
 ldap-attribute-map STRMLINE-VPN
group-policy SSLAccess internal
group-policy SSLAccess attributes
 vpn-idle-timeout 30
 vpn-filter value EMPLOYEE-VPNTUNNEL
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 address-pools value EMPLOYEEVPNPOOL
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect ssl compression none
  anyconnect ask enable default anyconnect timeout 20
group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
 authentication-server-group LDAP-STRMLINE
 default-group-policy SSLAccess
tunnel-group SSLAccess webvpn-attributes
 group-alias EMPLOYEES enable

It also works if I create an OU and place users inside and then change the AAA, ldap scope onelevel and point it there.  The name of the security group is SSLAccess.  Any assistance would be appreciated.
Who is Participating?
Rob KnightConnect With a Mentor ConsultantCommented:

You can achieve the same sort of functionality using Dynamic Access policies.

Here you can set the default setting to block and then create a new role which allows a connection.

You can specify AD group as an LDAP attribute for enforcement and could optionally, lock them to group policy, for example.

MrPowellAuthor Commented:
I do have DAP listed above in my config, im sure its not correct, I just needed a nudge in the right direction as far as what the config says for DAP
Rob KnightConsultantCommented:

Please see rc172 post about half-way down to help with the settings:

This is using ASDM which I found very helpful with DAP

Kind regards,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.