Cisco ASA: Allowing and Denying VPN Access based on membership to an AD group

Posted by milkandtang on Server Fault See other posts from Server Fault or by milkandtang
Published on 2011-02-21T20:43:20Z Indexed on 2011/03/09 8:11 UTC
Read the original article Hit count: 439

Filed under:
|
|
|
|

I have a Cisco ASA 5505 connecting to an Active Directory server for VPN authentication. Usually we'd restrict this to a particular OU, but in this case users which need access are spread across multiple OUs. So, I'd like to use a group to specify which users have remote access. I've created the group and added the users, but I'm having trouble figuring out how to deny users which aren't in that group.

Right now, if someone connects they get assigned the correct group policy "companynamera" if they are in that group, so the LDAP mapping is working. However, users who are not in that group still authenticate fine, and their group policy becomes the LDAP path of their first group, i.e. CN=Domain Users,CN=Users,DC=example,DC=com, and then are still allowed access. How do I add a filter so that I can map everything that isn't "companynamera" to no access?

Config I'm using (with some stuff such as ACLs and mappings removed, since they are just noise here):

gateway# show run
: Saved
:
ASA Version 8.2(1)
!
hostname gateway
domain-name corp.company-name.com
enable password gDZcqZ.aUC9ML0jK encrypted
passwd gDZcqZ.aUC9ML0jK encrypted
names
name 192.168.0.2 dc5 description FTP Server
name 192.168.0.5 dc2 description Everything server
name 192.168.0.6 dc4 description File Server
name 192.168.0.7 ts1 description Light Use Terminal Server
name 192.168.0.8 ts2 description Heavy Use Terminal Server
name 4.4.4.82 primary-frontier
name 5.5.5.26 primary-eschelon
name 172.21.18.5 dmz1 description Kerio Mail Server and FTP Server
name 4.4.4.84 ts-frontier
name 4.4.4.85 vpn-frontier
name 5.5.5.28 ts-eschelon
name 5.5.5.29 vpn-eschelon
name 5.5.5.27 email-eschelon
name 4.4.4.83 guest-frontier
name 4.4.4.86 email-frontier
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 description Frontier FiOS
 nameif outside
 security-level 0
 ip address primary-frontier 255.255.255.0
!
interface Vlan3
 description Eschelon T1
 nameif backup
 security-level 0
 ip address primary-eschelon 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 172.21.18.254 255.255.255.0
!
interface Vlan5
 nameif guest
 security-level 25
 ip address 172.21.19.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
 switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server dc2
 domain-name corp.company-name.com
same-security-traffic permit intra-interface
access-list companyname_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list companyname_splitTunnelAcl standard permit 172.21.18.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.18.0 255.255.255.0
access-list bypassingnat_dmz extended permit ip 172.21.18.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 12288
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu dmz 1500
mtu guest 1500
ip local pool VPNpool 172.21.20.50-172.21.20.59 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 email-frontier
global (outside) 3 guest-frontier
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 dc5 255.255.255.255
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list bypassingnat_dmz
nat (dmz) 2 dmz1 255.255.255.255
nat (dmz) 1 172.21.18.0 255.255.255.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 4.4.4.1 1 track 1
route backup 0.0.0.0 0.0.0.0 5.5.5.25 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map RemoteAccessMap
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=RemoteAccess,CN=Users,DC=corp,DC=company-name,DC=com companynamera
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host dc2
 ldap-base-dn dc=corp,dc=company-name,dc=com
 ldap-scope subtree
 ldap-login-password *
 ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
 server-type microsoft
aaa-server ADRemoteAccess protocol ldap
aaa-server ADRemoteAccess (inside) host dc2
 ldap-base-dn dc=corp,dc=company-name,dc=com
 ldap-scope subtree
 ldap-login-password *
 ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
 server-type microsoft
 ldap-attribute-map RemoteAccessMap
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.4.4.1 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy companynamera internal
group-policy companynamera attributes
 wins-server value 192.168.0.5
 dns-server value 192.168.0.5
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value companyname_splitTunnelAcl
 default-domain value corp.company-name.com
 split-dns value corp.company-name.com
group-policy companyname internal
group-policy companyname attributes
 wins-server value 192.168.0.5
 dns-server value 192.168.0.5
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value companyname_splitTunnelAcl
 default-domain value corp.company-name.com
 split-dns value corp.company-name.com
username admin password IhpSqtN210ZsNaH. encrypted privilege 15
tunnel-group companyname type remote-access
tunnel-group companyname general-attributes
 address-pool VPNpool
 authentication-server-group ActiveDirectory LOCAL
 default-group-policy companyname
tunnel-group companyname ipsec-attributes
 pre-shared-key *
tunnel-group companynamera type remote-access
tunnel-group companynamera general-attributes
 address-pool VPNpool
 authentication-server-group ADRemoteAccess LOCAL
 default-group-policy companynamera
tunnel-group companynamera ipsec-attributes
 pre-shared-key *
!
class-map type inspect ftp match-all ftp-inspection-map
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect ftp ftp-inspection-map
 parameters
 class ftp-inspection-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect esmtp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:487525494a81c8176046fec475d17efe
: end
gateway#

Thanks so much!

© Server Fault or respective owner

Related posts about vpn

Related posts about cisco