ccie blog

Cisco ASA – Anyconnect with AD Group Authentication

This post shows you how to configure Anyconnect with AD group authentication.  i.e. Users must be part of a certain security group inside of AD in order to be authenticated on the Anyconnect client.

Below is the complete configuration.  I will run through how it works underneath.

#### AD SECTION ####
aaa-server AD protocol ldap
aaa-server AD (inside) host 1.1.1.1
 ldap-base-dn dc=google,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password $tr0ngP@$$w0rd
 ldap-login-dn CN=CiscoASA,OU=Service Account,OU=UK,DC=test,DC=com
 server-type microsoft
 ldap-attribute-map MAP-ANYCONNECT-LOGIN

#### TUNNEL-GROUP SECTION ####
tunnel-group ANYCONNECT_TUNNEL type remote-access
tunnel-group ANYCONNECT_TUNNEL general-attributes
 address-pool ANYCONNECT_POOL
 authentication-server-group AD
 default-group-policy NO_ACCESS
tunnel-group ANYCONNECT_TUNNEL webvpn-attributes
 group-alias CORPORATE_USERS enable
 group-url https://google.com/ANYCONNECT enable

#### GROUP-POLICY SECTION ####
group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
 vpn-simultaneous-logins 0
!
group-policy ANYCONNECT_GROUP internal
group-policy ANYCONNECT_GROUP attributes
 dns-server value 8.8.8.8
 vpn-simultaneous-logins 500
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value google.com
 webvpn
  anyconnect keep-installer installed

#### ATTRIBUTE-MAP SECTION ####
ldap attribute-map MAP-ANYCONNECT-LOGIN
map-name memberOf Group-Policy
map-value memberOf CN=ANYCONNECT_USERS,OU=Groups,OU=UK,DC=google,DC=com ANYCONNECT_GROUP

#### WEBVPN SECTION ####
webvpn
 enable outside
 anyconnect image shared:/anyconnect-win-4.4.03034-webdeploy-k9.pkg
 anyconnect enable
 tunnel-group-list enable

 

How this code works?

When a user goes to the login page https://google.com/ANYCONNECT, and attempts to login & download the Anyconnect client, the tunnel-group “ANYCONNECT_TUNNEL” is called. The tunnel-group states that the firewall should use AD for authenticating users. The AD section basically authenticates the firewall to AD (with the username CiscoASA), so that it can make queries with AD to authenticate users.  So, as part of the user authentication, it specifies an ldap attribute map, which is where we can state that the user must be part of a specific security group.

The attribute map states that users must be in the AD security group “ANYCONNECT_USERS”.  This group is located in the domain at the location of google.com/UK/Groups/ANYCONNECT_USERS.  If they are part of this security group, it calls the group-policy “ANYCONNECT_GROUP”.  This then sets the permissions for the Anyconnect client.

If the user is not part of this AD security group, the process changes. So when the tunnel-group calls AD, the attribute-map section fails, which causes the process to go back to the tunnel-group ANYCONNECT_TUNNEL, and hit the default-group-policy “NO_ACCESS”. This group-policy then states that zero users are permitted to login via this process.

 

The Gotchas

Things to watch out for when configuring this:

  • In the ATTRIBUTE-MAP section, the “memberOf” is a capital O.  The cli allows you to put a lower case o, and nothing will work if you make this mistake.
  • The vpn-simultaneous-logins command is required on both the NO_ACCESS group-policy as well as the ANYCONNECT_GROUP group-policy.  Failure to specify a number in the ANYCONNECT_GROUP group-policy can cause the “vpn-simultaneous-logins 0” setting to be inherited, causing login issues.

Leave a comment

Your comment