Cisco ASA: Allowing and Denying VPN Access based on membership to an AD group
- by milkandtang
I have a Cisco ASA 5505 connecting to an Active Directory server for VPN authentication. Usually we'd restrict this to a particular OU, but in this case users which need access are spread across multiple OUs. So, I'd like to use a group to specify which users have remote access. I've created the group and added the users, but I'm having trouble figuring out how to deny users which aren't in that group.
Right now, if someone connects they get assigned the correct group policy "companynamera" if they are in that group, so the LDAP mapping is working. However, users who are not in that group still authenticate fine, and their group policy becomes the LDAP path of their first group, i.e. CN=Domain Users,CN=Users,DC=example,DC=com, and then are still allowed access. How do I add a filter so that I can map everything that isn't "companynamera" to no access?
Config I'm using (with some stuff such as ACLs and mappings removed, since they are just noise here):
gateway# show run
: Saved
:
ASA Version 8.2(1)
!
hostname gateway
domain-name corp.company-name.com
enable password gDZcqZ.aUC9ML0jK encrypted
passwd gDZcqZ.aUC9ML0jK encrypted
names
name 192.168.0.2 dc5 description FTP Server
name 192.168.0.5 dc2 description Everything server
name 192.168.0.6 dc4 description File Server
name 192.168.0.7 ts1 description Light Use Terminal Server
name 192.168.0.8 ts2 description Heavy Use Terminal Server
name 4.4.4.82 primary-frontier
name 5.5.5.26 primary-eschelon
name 172.21.18.5 dmz1 description Kerio Mail Server and FTP Server
name 4.4.4.84 ts-frontier
name 4.4.4.85 vpn-frontier
name 5.5.5.28 ts-eschelon
name 5.5.5.29 vpn-eschelon
name 5.5.5.27 email-eschelon
name 4.4.4.83 guest-frontier
name 4.4.4.86 email-frontier
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
description Frontier FiOS
nameif outside
security-level 0
ip address primary-frontier 255.255.255.0
!
interface Vlan3
description Eschelon T1
nameif backup
security-level 0
ip address primary-eschelon 255.255.255.248
!
interface Vlan4
nameif dmz
security-level 50
ip address 172.21.18.254 255.255.255.0
!
interface Vlan5
nameif guest
security-level 25
ip address 172.21.19.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server dc2
domain-name corp.company-name.com
same-security-traffic permit intra-interface
access-list companyname_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list companyname_splitTunnelAcl standard permit 172.21.18.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.18.0 255.255.255.0
access-list bypassingnat_dmz extended permit ip 172.21.18.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 12288
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu dmz 1500
mtu guest 1500
ip local pool VPNpool 172.21.20.50-172.21.20.59 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 email-frontier
global (outside) 3 guest-frontier
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 dc5 255.255.255.255
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list bypassingnat_dmz
nat (dmz) 2 dmz1 255.255.255.255
nat (dmz) 1 172.21.18.0 255.255.255.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 4.4.4.1 1 track 1
route backup 0.0.0.0 0.0.0.0 5.5.5.25 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map RemoteAccessMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RemoteAccess,CN=Users,DC=corp,DC=company-name,DC=com companynamera
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host dc2
ldap-base-dn dc=corp,dc=company-name,dc=com
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
server-type microsoft
aaa-server ADRemoteAccess protocol ldap
aaa-server ADRemoteAccess (inside) host dc2
ldap-base-dn dc=corp,dc=company-name,dc=com
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=administrator,ou=Admins,dc=corp,dc=company-name,dc=com
server-type microsoft
ldap-attribute-map RemoteAccessMap
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.4.4.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy companynamera internal
group-policy companynamera attributes
wins-server value 192.168.0.5
dns-server value 192.168.0.5
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname_splitTunnelAcl
default-domain value corp.company-name.com
split-dns value corp.company-name.com
group-policy companyname internal
group-policy companyname attributes
wins-server value 192.168.0.5
dns-server value 192.168.0.5
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname_splitTunnelAcl
default-domain value corp.company-name.com
split-dns value corp.company-name.com
username admin password IhpSqtN210ZsNaH. encrypted privilege 15
tunnel-group companyname type remote-access
tunnel-group companyname general-attributes
address-pool VPNpool
authentication-server-group ActiveDirectory LOCAL
default-group-policy companyname
tunnel-group companyname ipsec-attributes
pre-shared-key *
tunnel-group companynamera type remote-access
tunnel-group companynamera general-attributes
address-pool VPNpool
authentication-server-group ADRemoteAccess LOCAL
default-group-policy companynamera
tunnel-group companynamera ipsec-attributes
pre-shared-key *
!
class-map type inspect ftp match-all ftp-inspection-map
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect ftp ftp-inspection-map
parameters
class ftp-inspection-map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect esmtp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:487525494a81c8176046fec475d17efe
: end
gateway#
Thanks so much!
