This post describes the procedure to configure a Cisco ASA firewall with LDAP authentication for AnyConnect Remote Access VPN access. Refer to the previous posts for configuring AnyConnect Remote Access VPNs.
ASA AnyConnect IKEv2/IPSec VPN
Active Directory Pre-requisites
The following pre-requisites for Active Directory are required
- An LDAP Service Account
- The distinguished name of the Service Account
- The distinguished name of the Active Directory Domain
- The distinguished name of the 2 Active Directory Groups
The distinguished name can be located using the Active Directory Users and Computers MMC, navigate to the object and click the Attribute Editor tab.
- We have created a service account called svc_ldap
- A user called user1 is a member of the AD group called Customer1
- A user called user2 is a member of the AD group called Customer2
ASA Configuration
Define 2 VPN Pools, each pool will be referenced in the different group-policies to demonstrate the configuration working correctly.
ip local pool VPN_POOL_1 192.168.14.10-192.168.14.254 mask 255.255.255.0 ip local pool VPN_POOL2 192.168.15.10-192.168.15.254 mask 255.255.255.0
Define a group policy called NOACCESS, this will be applied to the tunnel group. If a user attempts to authenticate and is not a member of either of the AD groups specified in the attribute-map, they will be denied access.
group-policy NOACCESS internal group-policy NOACCESS attributes vpn-simultaneous-logins 0 vpn-tunnel-protocol ssl-client
Define 2 Group Policies, these group policies will be assigned dynamically to the users if they are a member of the correct AD group as defined in the attribute-map. Ensure that vpn-simultaneous-logins is manually set, else they will inherit the limit of “0” as defined by the NOACCESS group policy, which will deny access.
group-policy GP-1 internal group-policy GP-1 attributes dns-server value 192.168.10.5 vpn-tunnel-protocol ssl-client default-domain value customer-1.local address-pools value VPN_POOL_1 vpn-simultaneous-logins 3 ! group-policy GP-2 internal group-policy GP-2 attributes dns-server value 192.168.10.5 vpn-tunnel-protocol ssl-client default-domain value customer-2.local address-pools value VPN_POOL_2 vpn-simultaneous-logins 3
An LDAP attribute map is required if you wish to permit only authenticated users in certain AD group. In this example we have 2 AD groups (Customer-1 and Customer-2), these will map the user to a different Group Policy in order to assign different attributes such as a VPN Pool. AD groups not defined in the attribute-map will be denied access. The distinguish name of the groups can be found in the “Attribute Editor” tab under the AD group in “Active Directory Users & Computers”.
ldap attribute-map LDAP_ANYCONNECT_MAP map-name memberOf Group-Policy map-value memberOf CN=Customer1,OU=Company,DC=lab,DC=local GP-1 map-value memberOf CN=Customer2,OU=Company,DC=lab,DC=local GP-2
Define the AAA Server using LDAP protocol, define the AD server IP address, base-dn, ldap scope, login dn, password and the attribute-map.
aaa-server LDAP protocol ldap aaa-server LDAP (INSIDE) host 192.168.10.5 ldap-base-dn DC=lab,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=svc_ldap,OU=Company,DC=lab,DC=local ldap-attribute-map LDAP_ANYCONNECT_MAP server-type auto-detect
Ensure the Tunnel Group used by the AnyConnect VPN is referencing the NOACCESS default-group-policy and the LDAP authentication-server-group.
tunnel-group TG-1 type remote-access tunnel-group TG-1 general-attributes authentication-server-group LDAP default-group-policy NOACCESS tunnel-group TG-1 webvpn-attributes group-alias TG-1 enable tunnel-group TG-1 webvpn-attributes group-alias TG-1 enable
Enable WebVPN on the OUTSIDE interface.
webvpn enable OUTSIDE anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable
Verification
Logging in as user1, the output confirms the user has been associated to the correct group-policy GP-1 and IP address of 192.168.14.10.
Logging in as a user2, the output confirms the user has been associated to the group-policy GP-2 and IP address of 192.168.15.10, which is from a different IP Pool.
Turn on LDAP debugging using the command debug ldap 255 and log in as a user that has permissions to authenticate to the Remote Access VPN.
From the output below we can determine that the user was successfully authenticated and mapped to the correct group-policy, confirming the LDAP attribute-map is working correctly.
