It is possible to authenticate to LDAP but then only allow a user in if they are in the right LDAP group. This post will explain how to authorize a user based on their LDAP group they are a member of.
The theory for this task is to set a default group policy which has no access to the network, then create an LDAP map that maps a LDAP group to a group-policy.
Configure LDAP authentication
First what you’ll need to do is make sure you have LDAP authentication working. Create a aaa-server that uses the LDAP protocol. The configuration may look like this:
ldap-base-dn will be where where the ASA starts looking for an authenticated user. I recommend setting this as the first level of your AD tree.
ldap-scope subtree tells LDAP to look for this user in any subtree. The other option is just a single subtree up.
The next 3 commands are setting up the LDAP user that will be used to bind to LDAP. The
ldap-naming-attribute command says we’ll be using the sAMAccountName as the identifier of our login name. The
ldap-login-password is the LDAP password for the user we are using to bind to LDAP. In this case the user is svc_asavpn. The
ldap-login-dn tells LDAP where that user lives. It’s important to know the full path of that user as indicated in the commands above.
Once you have those commands in the easiest way to test the connectivity is to use the
test command. It looks something like this:
It’s important that this test is successful. Failure to get LDAP working successfully here will result in harder to troubleshoot problems later.
You may be able to get additional help by turning on
debug ldap 255 then trying the test again.
Create Group-Policies for the VPN
Create two group policies. One that has no access and denies the user from logging in, and one that has the correct permissions to allow a user to login.
First create the group for no access
We just want a group policy that doesn’t allow anyone to login so if we restrict the login count to 0 nobody will ever be able to login.
Next create the group policy that will allow the user access.
Note that sometimes we need to explicitly say the max simultaneous logins is more than 0 since we made it 0 earlier it may get inherited.
Create the Tunnel Group
We’ve set the authentication group to be the aaa LDAP server we configured in step one. Also take note we’ve set the default group policy to be the NoAccess one.
Create an LDAP map
An LDAP map will look at the LDAP settings that user has and if there’s a match will assign them to a specific group-policy (amongst other options). Essentially we are saying deny all users from VPN access, unless they are a memberOf the specified group and if so assign them to a different group-policy.
Since these are seldom used commands lets break them down all the way.
memberOf is the specific LDAP flag we are going to be looking for. We want to check if this user is a memberOf a group.
Group-Policy says that if there’s a match, lets assign them a new group-policy. In older version of ASA (<8.2.5) use this instead: IETF-Radius-Class.
CN=vpn_users,OU=groups,OU=chi,DC=example,DC=com is the location of the group in AD to check if the user is a memberOf.
GRPPOL-RA-VPN is the name of the group-policy we will assign them to if there is a match.
map-name is more like indicating the type of map attribute to check against and what will be assigned if there’s a match.
map-value defines the values to be checking against and assigning to. You can have multiple map-value commands in one LDAP map.
Now apply the LDAP map.
Test to verify it’s working
You can try to login to the VPN using an LDAP account or you can try the
test command that was talked about earlier. If you have
debug ldap 255 on you’ll see the following in a successfully authenticated message:
If you’re seeing that message it means the user was given the proper group-policy to login with. You can also verify the test by successfully logging in via a VPN session and check if the user has the right group-policy when looking at the user doing
show vpn-sessiondb anyconnect.