Search This Blog

Wednesday, December 2, 2015

Cisco AnyConnect LDAP configuration

Cisco ASA 5506X-SFR
Software version:
ASDM version:
Client version:
Anyconnect 3.1.12020-k9

First configure LDAP server group under Remote Access VPN -> AAA/Local Users -> AAA Server Groups:

Then configure beneath LDAP server:

Next configure address pool under Remote Access VPN -> Network (Client) Access -> Address Assignment -> Address Pools:

Now configure group policy under Remote Access VPN -> Network (Client) Access -> Group Policies:

You can leave all parameters inherit, in this case all traffic will be tunneled through the ASA, in order to change it go to Advanced -> Split Tunneling uncheck Policy and choose Tunnel Network Below, and uncheck Network List, click on Manage, create standard access-list with the ASA internal networks, and select this ACL in the Network List:

Now go to Remote Access VPN -> AnyConnect Connection Profiles and click on Add to configure new connection profile, type in a name, choose AAA as authentication method and choose the LDAP server, choose the client address pool and default group policy we made:

Check SSL Enabled and IPsec Enabled for this given profile and we are ready to connect.

Now let’s add DAP (Dynamic Access Policy) based on LDAP attribute, go to Remote Access VPN -> AAA/Local Users -> LDAP Attribute Map and click Add, in the LDAP Attribute Name type memberOf (case sensitive) and under Cisco Attribute Name choose Group-Policy:

Click on Mapping of Attribute Value and click Add, under LDAP Attribute Value type the syntax for the corresponding group (here in my example a group called VPN-USERS):

The syntax is as follow: CN=VPN-USERS,OU=Groups,DC=lab,DC=local

And in the Cisco Attribute Value type in the group policy name we just made, here in my example RA-ANYCONNECT-GroupPolicy.

In this attribute map we have linked between LDAP attributes receive from the LDAP server to Cisco known (by the ASA) parameters.

Now go to Remote Access VPN -> AAA/Local Users -> AAA Server Groups and click edit on the server configured in the Servers in the Selected Group for the LDAP group, under LDAP Attribute Map choose the map we’ve just created:

Now we can start configure DAP based on user or group, go to Remote Access VPN -> Network (Client) Access -> Dynamic Access Policies and click Add, type in the policy name, set ACL priority (all policies are evaluated from high to low), choose whenever the attribute should have ANY, ALL or NONE and click Add to configure LDAP attribute type with ID of memberOf and the value that we want to use, here is the group name VPN-USERS but we can also use the username for example:

Then we can configure different settings for the particular user/group, here I choose the Network ACL Filters (client) and set an ACL for the group:

Because DfltAccessPolicy is the last DAP configure an ACL with deny any which will require the remote users to be matched with prior policies else they will be denied.

1 comment:

  1. Hi,
    what to do map-attribute(LDAP attribute-map) as you use DAP?