Restrict Cisco AnyConnect VPN login based on AD Group

Restrict Cisco AnyConnect VPN login based on AD Group

You can restrict Cisco AnyConnect VPN login based on AD Group by following the steps below

  1. Create a Server Group (AD) for LDAP Authentication.
aaa-server AD protocol ldap
aaa-server AD (inside) host 172.16.1.115
 ldap-base-dn dc=lab,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn Administrator@lab.local
 server-type microsoft
  1. Turn on Debug for ldap and verify the authenitcation to LDAP / AD Server is working fine
debug ldap 255
test aaa-server authentication AD host 172.16.1.115 username administrator password P@ssw0rd
INFO: Attempting Authentication test to IP address (172.16.1.115) (timeout: 12 seconds)

[-2147483635] Session Start
[-2147483635] New request Session, context 0x00007f3060b122b8, reqType = Authentication
[-2147483635] Fiber started
[-2147483635] Creating LDAP context with uri=ldap://172.16.1.115:389
[-2147483635] Connect to LDAP server: ldap://172.16.1.115:389, status = Successful
[-2147483635] defaultNamingContext: value = DC=lab,DC=local
[-2147483635] supportedLDAPVersion: value = 3
[-2147483635] supportedLDAPVersion: value = 2
[-2147483635] supportedSASLMechanisms: value = GSSAPI
[-2147483635] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483635] supportedSASLMechanisms: value = EXTERNAL
[-2147483635] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483635] Binding as administrator@lab.local
[-2147483635] Performing Simple authentication for administrator@lab.local to 172.16.1.115
[-2147483635] LDAP Search:
        Base DN = [dc=lab,dc=local]
        Filter  = [sAMAccountName=administrator]
        Scope   = [SUBTREE]
[-2147483635] User DN = [CN=Administrator,CN=Users,DC=lab,DC=local]
[-2147483635] Talking to Active Directory server 172.16.1.115
[-2147483635] Reading password policy for administrator, dn:CN=Administrator,CN=Users,DC=lab,DC=local
[-2147483635] Read bad password count 0
[-2147483635] Binding as administrator
[-2147483635] Performing Simple authentication for administrator to 172.16.1.115
[-2147483635] Processing LDAP response for user administrator
[-2147483635] Message (administrator):
[-2147483635] Authentication successful for administrator to 172.16.1.115
[-2147483635] Retrieved User Attributes:
[-2147483635]   objectClass: value = top
[-2147483635]   objectClass: value = person
[-2147483635]   objectClass: value = organizationalPerson
[-2147483635]   objectClass: value = user
[-2147483635]   cn: value = Administrator
[-2147483635]   description: value = Built-in account for administering the computer/domain
[-2147483635]   distinguishedName: value = CN=Administrator,CN=Users,DC=lab,DC=local
[-2147483635]   instanceType: value = 4
[-2147483635]   whenCreated: value = 20180927105816.0Z
[-2147483635]   whenChanged: value = 20180928075700.0Z
[-2147483635]   uSNCreated: value = 8196
[-2147483635]   memberOf: value = CN=Group Policy Creator Owners,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Domain Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Enterprise Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Schema Admins,CN=Users,DC=lab,DC=local
[-2147483635]   memberOf: value = CN=Administrators,CN=Builtin,DC=lab,DC=local
[-2147483635]   uSNChanged: value = 12846
[-2147483635]   name: value = Administrator
[-2147483635]   objectGUID: value = *f.B...L...".l..
[-2147483635]   userAccountControl: value = 512
[-2147483635]   badPwdCount: value = 0
[-2147483635]   codePage: value = 0
[-2147483635]   countryCode: value = 0
[-2147483635]   badPasswordTime: value = 131825949934044385
[-2147483635]   lastLogoff: value = 0
[-2147483635]   lastLogon: value = 131825950217951268
[-2147483635]   logonHours: value = .....................
[-2147483635]   pwdLastSet: value = 131825950200295044
[-2147483635]   primaryGroupID: value = 513
[-2147483635]   objectSid: value = .............1...b.T........
[-2147483635]   adminCount: value = 1
[-2147483635]   accountExpires: value = 0
[-2147483635]   logonCount: value = 21
[-2147483635]   sAMAccountName: value = Administrator
[-2147483635]   sAMAccountType: value = 805306368
[-2147483635]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
[-2147483635]   isCriticalSystemObject: value = TRUE
[-2147483635]   dSCorePropagationData: value = 20180927111405.0Z
[-2147483635]   dSCorePropagationData: value = 20180927105856.0Z
[-2147483635]   dSCorePropagationData: value = 16010101000416.0Z
[-2147483635]   lastLogonTimestamp: value = 131825198723554729
[-2147483635] Fiber exit Tx=530 bytes Rx=2899 bytes, status=1
[-2147483635] Session End
INFO: Authentication Successful
  1. In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the IETF-Radius-Class attribute that is understood by the VPN headend
    https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc13

The value of AD Attribute is CASE SENSITVE in LDAP MAP

  1. Create a new LDAP-MAP to map AD Group (VPN) to GP_ANYCONNECT (Group Policy defined in Cisco ASA)
ldap attribute-map LDAP-MAP
  map-name  memberOf Group-Policy
  map-value memberOf memberOf CN=VPN,CN=Users,DC=lab,DC=local GP_ANYCONNECT
  1. Create a New Group Policy (NO_ACCESS) to block AD Users who do not below to VPN Group to login with vpn-simultaneous-logins 0
group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
 vpn-simultaneous-logins 0
  1. Update the existing Group Policy (GP_ANYCONNECT) with vpn-simultaneous-logins 500 (the number of allowed VPN Session)
group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
 dns-server value 172.16.1.115
 vpn-simultaneous-logins 500
  1. Update the tunnel-group (ANYCONNECT-PROFILE) to assign Default Group Policy (NO_ACCESS) to AD Users who do not below to VPN Group
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 authentication-server-group AD LOCAL
 default-group-policy NO_ACCESS
  1. Assign the ldap-attribute-map to the LDAP Group we defined earily
aaa-server AD protocol ldap
aaa-server AD (inside) host 172.16.1.115
 ldap-attribute-map LDAP-MAP
  1. When vpn1 user who is member of VPN Group is trying to login to Cisco AnyConnect, he will be assigned with Group Policy (GP_ANYCONNECT) and Login Successfully.
debug ldap 255

[5993]  distinguishedName: value = CN=vpn1,CN=Users,DC=lab,DC=local
[5820]  memberOf: value = CN=VPN,CN=Users,DC=lab,DC=local
[5820]          mapped to Group-Policy: value = GP_ANYCONNECT
[5820]          mapped to LDAP-Class: value = GP_ANYCONNECT
  1. When user who is not member of VPN group is trying to login, the default Group Policy (NO_ACCESS) will be assigned since there is no matching in the LDAP Attribute

Leave a Comment