travisryan
asked on
Cisco ASA & AnyConnect VPN: Dynamic Access Policy not blocking users
Cisco ASA 5520 with AnyConnect VPN authenticated via LDAP. I'm trying to tighten my security down by limiting which users are allowed. I've taken a test user out of the two groups defined by my dynamic access policy and the user is still allowed to connect in. Why?
I have four pictures attached explaining my situation as I understand it:
1) My LDAP Attribute map shows "Users" or the "<Location> Users" OUs/Containers are mapped attributes.
2) My Dynamic Access Policy shows users that are a member of the "Administrators" OR "<Company Name> Company" group are allowed to continue.
3) A test admin user that's been removed from the "Administrators" group & has never been a part "<Company Name> Company" group.
4) A normal level test user that's been removed from the "<Company Name> Company" group & has never been a part of the "Administrators" group.
Both of these users can VPN in fine. Why? Any help is appreciated.
AnyConnect_LDAP-Attribute.JPG
AnyConnect_Dynamic-Access-Policy.JPG
Anyconnect_Admin-Groups.JPG
Anyconnect_Test-Groups.JPG
I have four pictures attached explaining my situation as I understand it:
1) My LDAP Attribute map shows "Users" or the "<Location> Users" OUs/Containers are mapped attributes.
2) My Dynamic Access Policy shows users that are a member of the "Administrators" OR "<Company Name> Company" group are allowed to continue.
3) A test admin user that's been removed from the "Administrators" group & has never been a part "<Company Name> Company" group.
4) A normal level test user that's been removed from the "<Company Name> Company" group & has never been a part of the "Administrators" group.
Both of these users can VPN in fine. Why? Any help is appreciated.
AnyConnect_LDAP-Attribute.JPG
AnyConnect_Dynamic-Access-Policy.JPG
Anyconnect_Admin-Groups.JPG
Anyconnect_Test-Groups.JPG
please attatch as a text file a suitably sanitized copy of the ASA config
ASKER
Chris, I've changed the Dynamic Access Policy in a way that I believed should only allow users part of the Wireless Users group to connect in. Unfortunately, both users in that group and outside of that group can connect in. Did set this up wrong? Is there someplace else I need to change this at?
VPN2_DAP.JPG
VPN2_DAP.JPG
ASKER
Group memberships for my test user and test admin attached.
Wifi_VPN_Users.JPG
Wifi_VPN_Users.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Use the correct group and use the != operator.
i'd suggest that you create a specific group and put the users in that and use that for the policy.
You shouldn't really allow admins to connect to the VPN, they should be using non-privileged accounts to connect.