Restrict Cisco AnyConnect VPN login based on AD Group

You can restrict Cisco AnyConnect VPN login based on AD Group by following the steps below

  1. Create a Server Group (AD) for LDAP Authentication.
aaa-server AD protocol ldap
aaa-server AD (inside) host 172.16.1.115
 ldap-base-dn dc=lab,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn Administrator@lab.local
 server-type microsoft
  1. Turn on Debug for ldap and verify the authenitcation to LDAP / AD Server is working fine
debug ldap 255
test aaa-server authentication AD host 172.16.1.115 username administrator password P@ssw0rd
INFO: Attempting Authentication test to IP address (172.16.1.115) (timeout: 12 seconds)

[-2147483635] Session Start
[-2147483635] New request Session, context 0x00007f3060b122b8, reqType = Authentication
[-2147483635] Fiber started
[-2147483635] Creating LDAP context with uri=ldap://172.16.1.115:389
[-2147483635] Connect to LDAP server: ldap://172.16.1.115:389, status = Successful
[-2147483635] defaultNamingContext: value = DC=lab,DC=local
[-2147483635] supportedLDAPVersion: value = 3
[-2147483635] supportedLDAPVersion: value = 2
[-2147483635] supportedSASLMechanisms: value = GSSAPI
[-2147483635] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483635] supportedSASLMechanisms: value = EXTERNAL
[-2147483635] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483635] Binding as administrator@lab.local
[-2147483635] Performing Simple authentication for administrator@lab.local to 172.16.1.115
[-2147483635] LDAP Search:
        Base DN = [dc=lab,dc=local]
        Filter  = [sAMAccountName=administrator]
        Scope   = [SUBTREE]
[-2147483635] User DN = [CN=Administrator,CN=Users,DC=lab,DC=local]
[-2147483635] Talking to Active Directory server 172.16.1.115
[-2147483635] Reading password policy for administrator, dn:CN=Administrator,CN=Users,DC=lab,DC=local
[-2147483635] Read bad password count 0
[-2147483635] Binding as administrator
[-2147483635] Performing Simple authentication for administrator to 172.16.1.115
[-2147483635] Processing LDAP response for user administrator
[-2147483635] Message (administrator):
[-2147483635] Authentication successful for administrator to 172.16.1.115
[-2147483635] Retrieved User Attributes:
[-2147483635]   objectClass: value = top
[-2147483635]   objectClass: value = person
[-2147483635]   objectClass: value = organizationalPerson
[-2147483635]   objectClass: value = user
[-2147483635]   cn: value = Administrator
[-2147483635]   description: value = Built-in account for administering the computer/domain
[-2147483635]   distinguishedName: value = CN=Administrator,CN=Users,DC=lab,DC=local
[-2147483635]   instanceType: value = 4
[-2147483635]   whenCreated: value = 20180927105816.0Z
[-2147483635]   whenChanged: value = 20180928075700.0Z
[-2147483635]   uSNCreated: value = 8196
[-2147483635]   memberOf: value = CN=Group Policy Creator Owners,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Domain Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Enterprise Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Schema Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Administrators,CN=Builtin,DC=lab,DC=local
[-2147483635]   uSNChanged: value = 12846
[-2147483635]   name: value = Administrator
[-2147483635]   objectGUID: value = *f.B...L...".l..
[-2147483635]   userAccountControl: value = 512
[-2147483635]   badPwdCount: value = 0
[-2147483635]   codePage: value = 0
[-2147483635]   countryCode: value = 0
[-2147483635]   badPasswordTime: value = 131825949934044385
[-2147483635]   lastLogoff: value = 0
[-2147483635]   lastLogon: value = 131825950217951268
[-2147483635]   logonHours: value = .....................
[-2147483635]   pwdLastSet: value = 131825950200295044
[-2147483635]   primaryGroupID: value = 513
[-2147483635]   objectSid: value = .............1...b.T........
[-2147483635]   adminCount: value = 1
[-2147483635]   accountExpires: value = 0
[-2147483635]   logonCount: value = 21
[-2147483635]   sAMAccountName: value = Administrator
[-2147483635]   sAMAccountType: value = 805306368
[-2147483635]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
[-2147483635]   isCriticalSystemObject: value = TRUE
[-2147483635]   dSCorePropagationData: value = 20180927111405.0Z
[-2147483635]   dSCorePropagationData: value = 20180927105856.0Z
[-2147483635]   dSCorePropagationData: value = 16010101000416.0Z
[-2147483635]   lastLogonTimestamp: value = 131825198723554729
[-2147483635] Fiber exit Tx=530 bytes Rx=2899 bytes, status=1
[-2147483635] Session End
INFO: Authentication Successful
  1. In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the IETF-Radius-Class attribute that is understood by the VPN headend
    https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc13

The value of AD Attribute is CASE SENSITVE in LDAP MAP

  1. Create a new LDAP-MAP to map AD Group (VPN) to GP_ANYCONNECT (Group Policy defined in Cisco ASA)
ldap attribute-map LDAP-MAP
  map-name  memberOf Group-Policy
  map-value memberOf memberOf CN=VPN,CN=Users,DC=lab,DC=local GP_ANYCONNECT
  1. Create a New Group Policy (NO_ACCESS) to block AD Users who do not below to VPN Group to login with vpn-simultaneous-logins 0
group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
 vpn-simultaneous-logins 0
  1. Update the existing Group Policy (GP_ANYCONNECT) with vpn-simultaneous-logins 500 (the number of allowed VPN Session)
group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
 dns-server value 172.16.1.115
 vpn-simultaneous-logins 500
  1. Update the tunnel-group (ANYCONNECT-PROFILE) to assign Default Group Policy (NO_ACCESS) to AD Users who do not below to VPN Group
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 authentication-server-group AD LOCAL
 default-group-policy NO_ACCESS
  1. Assign the ldap-attribute-map to the LDAP Group we defined earily
aaa-server AD protocol ldap
aaa-server AD (inside) host 172.16.1.115
 ldap-attribute-map LDAP-MAP
  1. When vpn1 user who is member of VPN Group is trying to login to Cisco AnyConnect, he will be assigned with Group Policy (GP_ANYCONNECT) and Login Successfully.
debug ldap 255

[5993]  distinguishedName: value = CN=vpn1,CN=Users,DC=lab,DC=local
[5820]  memberOf: value = CN=VPN,CN=Users,DC=lab,DC=local
[5820]          mapped to Group-Policy: value = GP_ANYCONNECT
[5820]          mapped to LDAP-Class: value = GP_ANYCONNECT
  1. When user who is not member of VPN group is trying to login, the default Group Policy (NO_ACCESS) will be assigned since there is no matching in the LDAP Attribute

Leave a Comment