|
Device:
|
Cisco ASA 5506X-SFR
|
|
Software version:
|
9.5(1)
|
|
ASDM version:
|
7.5(1)
|
|
Client version:
|
Anyconnect 3.1.12020-k9
|
First configure LDAP server group under Remote
Access VPN -> AAA/Local Users -> AAA Server Groups:
Then configure beneath LDAP server:
Next configure address pool under Remote Access
VPN -> Network (Client) Access -> Address Assignment -> Address Pools:
Now configure group policy under Remote Access
VPN -> Network (Client) Access -> Group Policies:
You can leave all parameters inherit, in this
case all traffic will be tunneled through the ASA, in order to change it go to
Advanced -> Split Tunneling uncheck Policy and choose Tunnel Network Below,
and uncheck Network List, click on Manage, create standard access-list with the
ASA internal networks, and select this ACL in the Network List:
Now go to Remote Access VPN -> AnyConnect
Connection Profiles and click on Add to configure new connection profile, type in
a name, choose AAA as authentication method and choose the LDAP server, choose
the client address pool and default group policy we made:
Check SSL Enabled and IPsec Enabled for this
given profile and we are ready to connect.
Now let’s add DAP (Dynamic Access Policy) based
on LDAP attribute, go to Remote Access VPN -> AAA/Local Users -> LDAP
Attribute Map and click Add, in the LDAP Attribute Name type memberOf (case sensitive)
and under Cisco Attribute Name choose Group-Policy:
Click on Mapping of Attribute Value and click
Add, under LDAP Attribute Value type the syntax for the corresponding group
(here in my example a group called VPN-USERS):
The syntax is as follow: CN=VPN-USERS,OU=Groups,DC=lab,DC=local
And in the Cisco Attribute Value type in the
group policy name we just made, here in my example RA-ANYCONNECT-GroupPolicy.
In this attribute map we have linked between
LDAP attributes receive from the LDAP server to Cisco known (by the ASA)
parameters.
Now go to Remote Access VPN -> AAA/Local
Users -> AAA Server Groups and click edit on the server configured in the
Servers in the Selected Group for the LDAP group, under LDAP Attribute Map
choose the map we’ve just created:
Now we can start configure DAP based on user or
group, go to Remote Access VPN -> Network (Client) Access -> Dynamic
Access Policies and click Add, type in the policy name, set ACL priority (all
policies are evaluated from high to low), choose whenever the attribute should
have ANY, ALL or NONE and click Add to configure LDAP attribute type with ID of
memberOf and the value that we want to use, here is the group name VPN-USERS
but we can also use the username for example:
Then we can configure different settings for
the particular user/group, here I choose the Network ACL Filters (client) and set
an ACL for the group:
Because DfltAccessPolicy is the last DAP
configure an ACL with deny any which will require the remote users to be
matched with prior policies else they will be denied.
