Cisco ASA Anyconnect VPN group-policy chosen based on AD user

Started by Dieselboy, July 17, 2020, 03:56:56 AM

Previous topic - Next topic

Dieselboy

I have the following setup:
Cisco ASA 9.8
Windows 2012 RADIUS server

At the moment I have a list of different tunnel-groups with different URLs and different groups of users connect to their purpose-built tunnel-group based on HTTPS url. When they are authenticated by AD, this simply approves the username/password and allows them in. The problem with this is that I have a long list of tunnel-groups for the different user groups and the config and management could be simpler. The other problem is that  a user can authenticate to a different tunnel-group and get access with a group policy that may not suit them.

I'd like to have say 1 tunnel group and a few different policies. Then based on the AD user, they can all connect via the same HTTPS url but based on configured AD they will get the appropriate group-policy.

I've not configured this before and so I looked around the web for a write-up and I found one that mentions AD OU name. However I would like to do it based on AD group membership. Is group membership possible within this context? Or do I need to source something like Cisco ISE to do this?

deanwebb

I know you can do that with PAN and Forescout. :smug:

One thing that can help is to determine if your tunnel-groups line up with actual use cases or if they're just effectively meaningless administrative divisions. For the real use cases, see if any have identical requirements and then consolidate.

The part about getting the wrong group policy is bad stuff, sounds like a flaw in the programming that gives that result. Having an external RADIUS broker that can enforce access with CoA commands might be a better architecture. That would be FreeRADIUS, ISE, or FSCT in my experience.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

We use groups to match with Anyconnect so maybe it is similar for the web stuff. So something like

ldap attribute-map AD_SERVER_MAP
map-name memberOf <Group in AD with all the OU Stuff here> group1
map-name memberOf <Group2 stuff> group2
group-policy group1 attributes
vpn-filter group1_acl
etc. etc


-Otanx

Dieselboy

Thanks guys

Can you use the "ldap attribute-map" when using RADIUS? Or do I need to switch to LDAP on the ASA side to be able to use that?

I have been considering moving to SAML instead so 2FA works a bit better.

Otanx

I am not sure. I know we couldn't, but hat was because we were using a third party RADIUS server not linked to AD. It didn't have groups setup, and we didn't want to duplicate work for new users. We did the LDAP mappings to AD to get our groups.

-Otanx