Text only | Text with Images

Networking-Forums.com

Professional Discussions => Security => Topic started by: Dieselboy on July 17, 2020, 03:56:56 AM

Title: Cisco ASA Anyconnect VPN group-policy chosen based on AD user
Post by: Dieselboy on July 17, 2020, 03:56:56 AM
I have the following setup:
Cisco ASA 9.8
Windows 2012 RADIUS server

At the moment I have a list of different tunnel-groups with different URLs and different groups of users connect to their purpose-built tunnel-group based on HTTPS url. When they are authenticated by AD, this simply approves the username/password and allows them in. The problem with this is that I have a long list of tunnel-groups for the different user groups and the config and management could be simpler. The other problem is that  a user can authenticate to a different tunnel-group and get access with a group policy that may not suit them.

I'd like to have say 1 tunnel group and a few different policies. Then based on the AD user, they can all connect via the same HTTPS url but based on configured AD they will get the appropriate group-policy.

I've not configured this before and so I looked around the web for a write-up and I found one that mentions AD OU name. However I would like to do it based on AD group membership. Is group membership possible within this context? Or do I need to source something like Cisco ISE to do this?
Title: Re: Cisco ASA Anyconnect VPN group-policy chosen based on AD user
Post by: deanwebb on July 17, 2020, 10:10:04 AM
I know you can do that with PAN and Forescout. :smug:

One thing that can help is to determine if your tunnel-groups line up with actual use cases or if they're just effectively meaningless administrative divisions. For the real use cases, see if any have identical requirements and then consolidate.

The part about getting the wrong group policy is bad stuff, sounds like a flaw in the programming that gives that result. Having an external RADIUS broker that can enforce access with CoA commands might be a better architecture. That would be FreeRADIUS, ISE, or FSCT in my experience.
Title: Re: Cisco ASA Anyconnect VPN group-policy chosen based on AD user
Post by: Otanx on July 17, 2020, 11:21:50 AM
We use groups to match with Anyconnect so maybe it is similar for the web stuff. So something like

ldap attribute-map AD_SERVER_MAP
map-name memberOf <Group in AD with all the OU Stuff here> group1
map-name memberOf <Group2 stuff> group2
group-policy group1 attributes
vpn-filter group1_acl
etc. etc


-Otanx
Title: Re: Cisco ASA Anyconnect VPN group-policy chosen based on AD user
Post by: Dieselboy on July 21, 2020, 10:57:51 PM
Thanks guys

Can you use the "ldap attribute-map" when using RADIUS? Or do I need to switch to LDAP on the ASA side to be able to use that?

I have been considering moving to SAML instead so 2FA works a bit better.
Title: Re: Cisco ASA Anyconnect VPN group-policy chosen based on AD user
Post by: Otanx on July 22, 2020, 10:52:54 AM
I am not sure. I know we couldn't, but hat was because we were using a third party RADIUS server not linked to AD. It didn't have groups setup, and we didn't want to duplicate work for new users. We did the LDAP mappings to AD to get our groups.

-Otanx
Text only | Text with Images