Add to collection(s) Add to saved
  1. No category
Uploaded by shinesudheesh16

Attribue-MAP

advertisement 
Cisco ASA – AnyConnect Authentication via
LDAP and Domain User Groups
Problem
When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use
RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I
fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put
in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular
Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change.
The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group,
and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Though to be
honest if you have multiple groups and want to assign different levels of access (i.e. different
ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot
simpler.
I’ll post both options, and you can take your pick
Solution
Firstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only
need to be able to browse the AD, so a simple Domain User is fine.
Then create a user group that you want to grant AnyConnect Access to;
And, then create a test user and put that user in your domain group.
Configure the ASA for LDAP
Create an AAA LDAP Server Group > Add a Server > Put in the Config for that server like so;
CHANGE THE ENTRIES IN BOLD BELOW TO MATCH YOUR REQUIREMENTS
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-LDAP-SERVER protocol ldap
Petes-ASA(config-aaa-server-group)# aaa-server PNL-LDAP-SERVER (inside) host
192.168.100.10
Petes-ASA(config-aaa-server-host)# ldap-base-dn dc=pnl,dc=com
Petes-ASA(config-aaa-server-host)# ldap-scope subtree
Petes-ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
Petes-ASA(config-aaa-server-host)# ldap-login-password P@assword123
Petes-ASA(config-aaa-server-host)# ldap-login-dn
cn=asa,OU=ServiceAccounts,OU=PNL,dc=pnl,dc=com
Petes-ASA(config-aaa-server-host)# server-type auto-detect
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)# exit
Petes-ASA#
Now perform a test, and make sure it says “successful’
NOTE: HERE I'VE SET IT TO FALL BACK TO LOCAL AUTH IF THE LDAP SERVER IS DOWN!
Petes-ASA# test aaa-server authentication PNL-LDAP-SERVER host 192.168.100.10
username
administrator password P@ssword123
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
Add LDAP Authentication For AnyConnect
I’m assuming you already have AnyConnect Setup? If not that’s fine simply follow the article
below, which will set it up for LOCAL authentication, set it up and get it working then come
back here.
Cisco ASA 5500 AnyConnect Setup From Command Line
To change authentication from LOCAL you make a change in the Tunnel-Group for you remote
VPN connection, if you don’t know what the name of your tunnel group is ‘show run tun’ will
list them. You add the authentication-server-group to the general-attributes section of the config,
like so;
NOTE: HERE IT WILL FAIL BACK TO 'LOCAL' AUTH IF LDAP GOES DOWN (THIS IS
GOOD!)
Petes-ASA(config)# tunnel-group PNL-TG-ANYCONNECT-ACCESS general-attributes
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-LDAP-SERVER
LOCAL
Petes-ASA(config-tunnel-general)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 30899474 8c9cd7c6 495be299 fd911bca
19681 bytes copied in 3.340 secs (6560 bytes/sec)
[OK]
Petes-ASA(config)#
Note: At this point ALL DOMAIN USERS can successfully authenticate, to lock it down to one
domain security group, either apply a Dynamic Access Policy (these can only be done in the
ASDM). or skip further down, to edit and create your group-policies and use an attribute-map.
Cisco ASDM Configure Dynamic Access Policies
Connect to the ASDM > Configuration > Remote Access VPN > Dynamic Access Policies >
Add.
Add an LDAP Condition > IF NOT a member (or not equal to member) > Insert domain security
group. Then set the condition to ‘Terminate’.
Then test.
Configure Group Access via Attribute Map
As already pointed out I’m assuming you already have AnyConnect in and working, so you will
have both a Group-Policy your users are using, and a tunnel-group configured, we will make
some changes to those. if you don’t know thew name of your configured group-policy or tunnels
group the following two commands will tell you;
•
•
To see your tunnel group(s): show run tun
To see your group-policy(s): show run group-policy
Note: If you have many, simply connect with a user, then run show vpn-sessiondb det
anyconnect to get the details.
Firstly create a NEW group-policy that blocks access (this will become the default).
Petes-ASA(config)# group-policy ANYCONNECT-NO-ACCESS internal
Petes-ASA(config)# group-policy ANYCONNECT-NO-ACCESS attributes
Petes-ASA(config-group-policy)# vpn-simultaneous-logins 0
Petes-ASA(config-group-policy)# exit
Then we will change your EXISTING group-policy to change the simultaneous login threshold
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-simultaneous-logins 3
Petes-ASA(config-group-policy)# exit
Then we will change your EXISTING tunnel-group to change the authentication method, and
set the default group-policy to ‘deny’. Note: Ive added the ASA’s local user database as a fallback in case the LDAP server(s) are down/not-contactable.
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-LDAPSERVER LOCAL
Petes-ASA(config-tunnel-general)# default-group-policy ANYCONNECT-NO-ACCESS
Petes-ASA(config-tunnel-general)# exit
Create an Attribute map, that matches the AD group that has your ‘allowed’ users in it.
Petes-ASA(config)# ldap attribute-map AM-ANYCONNECT-USERS
Petes-ASA(config-ldap-attribute-map)#
map-name memberOf Group-Policy
Petes-ASA(config-ldap-attribute-map)#
map-value memberOf CN=VPNUsers,OU=Groups,OU=PNL,DC=pnl,DC=com GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-ldap-attribute-map)# exit
Finally add that Attribute map, to the LDAP server you created earlier.
Petes-ASA(config)# aaa-server PNL-LDAP-SERVER (inside) host 192.168.100.10
Petes-ASA(config-aaa-server-host)# ldap-attribute-map AM-ANYCONNECT-USERS
Then test;
Related Articles, References, Credits, or External Links
Cisco AnyConnect – Allow Domain Password Change via LDAP
Thanks to Ben Monroe, who emailed me as the original article was lacking the Attribute Map
section. I had omitted it originally and stuck with DAP, primarily because I could not get LDAP
group authentication to work! I still prefer DAP as a solution, but for the sake of completeness I
revisited this, and added the complete LDAP procedure.
Related documents
Chapter 4 Homework: Name:__________________________________________ 1.
Chapter 4 Homework: Name:__________________________________________ 1.
Please click on the link to
Please click on the link to
08-cisco-routeres
08-cisco-routeres
Download
advertisement