Restrict Cisco AnyConnect VPN login based on AD Group

Steps to restrict Cisco AnyConnect VPN login based on AD Group

Refer to Cisco AnyConnect VPN with CLI prior continue the lab below

AAA Group for LDAP Authentication

Create an AD GRoup named VPN and assign UAT1 as member of VPN Group

Cisco AnyConnect VPN login based on AD Group

Create a Server Group (AD) for LDAP Authentication with Domain Controller (10.10.10.230)

aaa-server AD protocol ldap
aaa-server AD (inside) host 10.10.10.230
 ldap-base-dn DC=mylab,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn [email protected]
 server-type microsoft

Verify LDAP Authentication is working fine

ASAv(config)# debug ldap 255
ASAv(config)# test aaa-server authentication AD host 10.10.10.230 username uat1 password [email protected]

    INFO: Attempting Authentication test to IP address (10.10.10.230) 
    INFO: Authentication Successful

LDAP Attribute Maps

In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the IETF-Radius-Class attribute that is understood by the VPN headend

Refer to Cisco Documentation – ASA Use of LDAP Attribute Maps Configuration Example for more detail information

Create a LDAP Attribute Map (LDAP-VPN) to map AD Group (VPN) to gp_ANYCONNECT Group Policy (gp_ANYCONNECT)

AD Attribute is CASE SENSITVE in LDAP Attribute Map

ldap attribute-map LDAP-VPN
  map-name  memberOf Group-Policy
  map-value memberOf CN=VPN,OU=LAB,DC=mylab,DC=local gp_ANYCONNECT

New Group Policy – gp_NO-ACCESS

Create a New Group Policy (gp_NO-ACCESS) to DENY Users who are NOT member of VPN Group to login with vpn-simultaneous-logins 0

group-policy gp_NO-ACCESS internal
group-policy gp_NO-ACCESS attributes
 vpn-simultaneous-logins 0

Update the existing Group Policy (gp_ANYCONNECT) with vpn-simultaneous-logins 500 (the number of allowed VPN Session)

group-policy gp_ANYCONNECT attributes
 dns-server value 10.10.10.230
 vpn-simultaneous-logins 500

Change the Default Group Policy to Tunnel Group

Modify the Tunnel-Group (prof_ANYCONNECT)

  • To use AAA Group (AD) to authenticate AnyClient Client
  • Change the Default Group Policy to gp_NO-ACCESS to DENY users who are not member of VPN Group to login
tunnel-group prof_ANYCONNECT general-attributes
 authentication-server-group AD LOCAL
 default-group-policy gp_NO-ACCESS

Assign ldap-attribute-map to AAA Group

Assign ldap-attribute-map (LDAP-VPN) to AAA Group (AD)

aaa-server AD protocol ldap
aaa-server AD (inside) host 10.10.10.230
ldap-attribute-map LDAP-VPN

Cisco AnyConnect VPN login based on AD Group – Member of VPN Group

Group Policy (gp_ANYCONNECT) is assigned to UAT1 who is member of VPN Group, and UAT1 is login successfully.

[132] Connect to LDAP server: ldap://10.10.10.230:389, status = Successful
[132] Authentication successful for uat1 to 10.10.10.230
[132]   memberOf: value = CN=VPN,OU=LAB,DC=mylab,DC=local
[132]           mapped to Group-Policy: value = gp_ANYCONNECT
[132]           mapped to LDAP-Class: value = gp_ANYCONNECT

Cisco AnyConnect VPN login based on AD Group – Non-Member of VPN Group

Group Policy (gp_NO-ACCESS) is assigned to UAT2 who is NOT member of VPN Group, and UAT2 failed to connect with AnyConnect VPN Client

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top