Friday 18 October 2013

Active Directory group based authentication for Cisco ASA AnyConnect

The purpose of this article will be to authenticate SSL AnyConnect VPN users to a specific profile dependant on their Active Directory (AD) group membership.

First we need an AD user account that will be used by the ASA to query LDAP.  This doesn't need to be a domain admin or anything, so just create a user with a strong password (set it so password doesn't expire etc).

We will also need to create, or take note of the AD group that will be used to identify to which VPN profile users will be authorised to access.  For example, in this article we will have an AD group called "Grp_GI_VPN_Tech", any user that is a member of that group will be authorised to access our AnyConnect profile named the same (I used the same names, you don't have to).
They won't however be able to access any other profile (unless they are a member of the relevant group as well).

So first step, let's set up our ASA to be able to query LDAP:
Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add
Now create a name for the group, such as "VPN-LDAP", select protocol LDAP and leave the rest as default.

Now select your new server group, and we are going to add your domain controller(s) to the group from the next section (Servers in the Selected Group).
Select the interface via which your DC is accessible, likely Inside.
Enter the IP of the DC
Server port: 389 (unless you're using LDAP over SSL)
Server type: Microsoft
Base DN: This determines where the ASA will look for users, in my case our users are spread out from the root OU, and therefore I will put the root of my domain.  If your users were for example all under Users then you could go one level up.  Eg. CN=Users,DC=mydomain,DC=loc
Scope: Determines to which sub-level the ASA will search
Naming Attribute: sAMAccountName
Login DN: This will be the user you created earlier to query LDAP, enter the fully distinguished name
Login Password: The strong password you created earlier
Leave the rest as default.
If you have a secondary DC, add that in the same way as above, your AAA Server Group will then have two servers configured for redundancy.


Now our ASA can query LDAP, we can start making the VPN's:
Configuration > Remote Access VPN > AnyConnect Connection Profiles
First we should enable AnyConnect on our outside interface, if not already done, therefore select the option and choose your interface, then select to bypass the interface ACLs for inbound sessions.
We will also select to allow users to select the connection profile on the login page, although they will see all of your profiles when they connect, they will only be able to access the ones that you determine via their AD group membership.
So far we should be looking something like this (dependant on your interfaces).

Now let's create our Connection Profile, select Add in the section below:
Name: Call this what you like, I find it useful to label it the same as your AD group, for easy management, so for our example I am going to call it Grp_GI_VPN_Tech.
Alias: This is what your users will see on their AnyConnect client, so label this clearly for them, such as "Tech Department".
Method: AAA
AAA Server Group: Here we select the group we created previously, in this example VPN-LDAP
Client Address Assignment: Depending on how you want to assign your VPN users an IP address will determine what you put here.  For this example I am going to have the ASA assign an IP address by creating an IP range within Client Address Pools.
Group Policy: We need to create this next, so for now just select any existing policy, such as DfltGrpPolicy
Enable SSL VPN client protocol
Disable IPsec(IKEv2) client protocol
Add your DNS/WINS/Domain Name
The advanced options we leave as default so press OK.

Now let's create our Group Policy (not related to AD GPO).
Configuration > Remote Access VPN > Group Policies
Add a new Internal Group Policy:
We can leave most of the General options inherited, however add the name you want (again I will keep it simple by using Grp_GI_VPN_Tech)
Under More Options we will explicitly define the following:
IPv4 Filter: Here we need to make an ACL determining what we want to allow our users to access on our inside LAN, eg. RDP to our terminal server, DNS query against our DC etc
Simultaneous Logins: Put here how many users should access at once, dependant on your licensing
Connection Profile Lock: Select our connection profile we created previously

Under the Servers tab, explicitly define your DNS/WINS/Default Domain again

If you want to use Split Tunneling, then select your Policy and Network List under Advanced > Split Tunneling.
The rest can be left as default, so press OK.

Now we go back to our AnyConnect Connection Profile and select our newly created Group Policy where we previously just used DfltGrpPolicy.


The final step is to restrict users to only access the VPN that their AD group membership allows, so navigate to Configuration > Remote Access VPN > Dynamic Access Policies
Here we need to add a new policy:
Policy Name: For simplicity, I will call this Grp_GI_VPN_Tech
ACL Priority: Doesn't really matter, let's just start at 100 and count down for each new VPN we make in future
Select User has ALL of the following AAA Attributes values...
Add a new criteria:
AAA Attribute Type: Cisco
Connection Profile: Grp_GI_VPN_Tech
OK
Add a new criteria:
AAA Attribute Type: LDAP
Attribute ID: memberOf
Value: = Choose your AD group, example here is Grp_GI_VPN_Tech of course
OK
Now ensure the Action is set to Continue, and press OK.
The final step now is to deny access for unauthorised users, so Edit the DfltAccessPolicy and ensure it is set to Terminate, supply a message for the users here if you like.


We should now be good to go, so fire up your test client and test.

Of course, you will need to repeat the steps for each additional VPN you create (except your AAA Server Groups, they don't need to be touched).

Please comment if you find anything incorrect, or have any questions!




8 comments:

  1. My AnyConnect client has the following message in the VPN > Message History tab after I attempt to login: "User not authorized for AnyConnect Client access, contact your administrator." Any advice on what could be causing this?

    ReplyDelete
    Replies
    1. This is most likely related to your DAPs, try changing your DfltAccessPolicy to 'Continue' as a test.

      Delete
  2. Thanks for the guide - very useful indeed.

    I came across the unfortunate situation where I had to configure this on an existing ASA, where the only access was VPN due to certain security measures within my company for some countries.

    I found that when it came to applying the DAP, it was worth just configuring all of the rules with a "Continue" action and a comment in the "User Message" section so while I was testing I knew which rule I was hitting each time.

    Obviously I changed the relevant rules to "Terminate" once I was done testing and confident that I wasn't about to lock myself out remotely.

    ReplyDelete
    Replies
    1. Glad it helped, good point on the comments in fact I ended up doing the same!

      Delete
  3. Awesome write up. I couldn't remember the LDAP member of and your page helped me remember what I was looking for.

    ReplyDelete
  4. Awesome guide, thanks so much. Helped tons.

    ReplyDelete