- Understanding Policy Enforcement of Authorization Attributes
- Policy Enforcement of User-Based Attributes
- Place LDAP Users in a Specific Group Policy
- Enforce Static IP Address Assignment for AnyConnect Tunnels
- Enforce Dial-in Allow or Deny Access
- Enforce Logon Hours and Time-of-Day Rules
Configure an External AAA Server for VPN
About External AAA Servers
This ASA can be configured to use an external LDAP, RADIUS, or TACACS+ server to support Authentication, Authorization, and Accounting (AAA) for the ASA. The external AAA server enforces configured permissions and attributes. Before you configure the ASA to use an external server, you must configure the external AAA server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.
Understanding Policy Enforcement of Authorization Attributes
The ASA supports several methods of applying user authorization attributes (also called user entitlements or permissions) to VPN connections. You can configure the ASA to obtain user attributes from any combination of:
- a Dynamic Access Policy (DAP) on the ASA
- an external RADIUS or LDAP authentication and/or authorization server
- a group policy on the ASA
If the ASA receives attributes from all sources, the attributes are evaluated, merged, and applied to the user policy. If there are conflicts between attributes, the DAP attributes take precedence.
The ASA applies attributes in the following order:
- DAP attributes on the ASA—Introduced in Version 8.0(2), these attributes take precedence over all others. If you set a bookmark or URL list in DAP, it overrides a bookmark or URL list set in the group policy.
- User attributes on the AAA server—The server returns these attributes after successful user authentication and/or authorization. Do not confuse these with attributes that are set for individual users in the local AAA database on the ASA (User Accounts in ASDM).
- Group policy configured on the ASA—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU=group-policy) for the user, the ASA places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server. For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map that you configure on the ASA maps the LDAP attribute to the Cisco attribute IETF-Radius-Class.
- Group policy assigned by the Connection Profile (called tunnel-group in the CLI)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication. All users connecting to the ASA initially belong to this group, which provides any attributes that are missing from the DAP, user attributes returned by the server, or the group policy assigned to the user.
- Default group policy assigned by the ASA (DfltGrpPolicy)—System default attributes provide any values that are missing from the DAP, user attributes, group policy, or connection profile.
Guidelines For Using External AAA Servers
The ASA enforces the LDAP attributes based on attribute name, not numeric ID. RADIUS attributes, are enforced by numeric ID, not by name.
For ASDM Version 7.0, LDAP attributes include the cVPN3000 prefix. For ASDM Versions 7.1 and later, this prefix was removed.
LDAP attributes are a subset of the Radius attributes, which are listed in the Radius chapter.
Configure Multiple Certificate Authentication
You can now validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. For example, you can make sure that the issuer name of the machine certificate matches a particular CA and therefore that the device is a corporate-issued device.
The multiple certificates option allows certificate authentication of both the machine and user via certificates. Without this option, you could only do certificate authentication of one or the other, but not both.
Because multiple certificate authentication requires a machine certificate and a user certificate (or two user certificates), you cannot use AnyConnect start before logon (SBL) with this feature.
The pre-fill username field allows a field from the second (user) certificate to be parsed and used for subsequent AAA authentication in a AAA and certificate authenticated connection. The username for both primary and secondary prefill is always retrieved from the second (user) certificate received from the client.
Beginning with 9.14(1), ASA allows you to specify which certificate the primary and secondary username should come from when configuring multiple certificate authentication and using the pre-fill username option for Authentication or Authorization. For information, see AnyConnect Connection Profile, Authentication Attributes
With multiple certificate authentication, two certificates are authenticated: the second (user) certificate received from the client is the one that the pre-fill and username-from-certificate primary and secondary usernames are parsed from.
You can also configure multiple certificate authentication with SAML.
With multiple-certificate authentication, you can make policy decisions based on the fields of a certificate used to authenticate that connection attempt. The user and machine certificate received from the client during multiple-certificate authentication is loaded into DAP to allow policies to be configured based on the field of the certificate. To add multiple certificate authentication using Dynamic Access Policies (DAP) so that you can set up rules to allow or disallow connection attempts, refer to Add Multiple Certificate Authentication to DAP in the appropriate release of the ASA VPN ASDM Configuration Guide .
Active Directory/LDAP VPN Remote Access Authorization Examples
This section presents example procedures for configuring authentication and authorization on the ASA using the Microsoft Active Directory server. It includes the following topics:
- Policy Enforcement of User-Based Attributes
- Place LDAP Users in a Specific Group Policy
- Enforce Static IP Address Assignment for AnyConnect Tunnels
- Enforce Dial-in Allow or Deny Access
- Enforce Logon Hours and Time-of-Day Rules
Other configuration examples available on Cisco.com include the following TechNotes.
- ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example
- PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login
Policy Enforcement of User-Based Attributes
This example displays a simple banner to the user, showing how you can map any standard LDAP attribute to a well-known Vendor-Specific Attribute (VSA), and you can map one or more LDAP attribute(s) to one or more Cisco LDAP attributes. It applies to any connection type, including the IPsec VPN client, AnyConnect SSL VPN client, or clientless SSL VPN.
To enforce a simple banner for a user who is configured on an AD LDAP server use the Office field in the General tab to enter the banner text. This field uses the attribute named physicalDeliveryOfficeName. On the ASA, create an attribute map that maps physicalDeliveryOfficeName to the Cisco attribute Banner1.
During authentication, the ASA retrieves the value of physicalDeliveryOfficeName from the server, maps the value to the Cisco attribute Banner1, and displays the banner to the user.
Procedure
Right-click the username, open the Properties dialog box then the General tab and enter banner text in the Office field, which uses the AD/LDAP attribute physicalDeliveryOfficeName.
Create an LDAP attribute map on the ASA.
Create the map Banner and map the AD/LDAP attribute physicalDeliveryOfficeName to the Cisco attribute Banner1:
hostname(config)# ldap attribute-map Banner hostname(config-ldap-attribute-map)# map-name physicalDeliveryOfficeName Banner1
Associate the LDAP attribute map to the AAA server.
Enter the aaa server host configuration mode for the host 10.1.1.2 in the AAA server group MS_LDAP, and associate the attribute map Banner that you previously created:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2 hostname(config-aaa-server-host)# ldap-attribute-map Banner
Test the banner enforcement.
Place LDAP Users in a Specific Group Policy
This example applies to any connection type, including the IPsec VPN client, AnyConnect SSL VPN client, or clientless SSL VPN. In this example, User1 is connecting through a clientless SSL VPN connection.
To place an LDAP user into a specific group policy use the Department field of the Organization tab to enter the name of the group policy. Then create an attribute map, and map Department to the Cisco attribute IETF-Radius-Class.
During authentication, the ASA retrieves the value of Department from the server, maps the value to the IETF-Radius-Class, and places User1 in the group policy.
Procedure
Right-click the username, open the Properties dialog box then the Organization tab and enter Group-Policy-1 in the Department field.
Define an attribute map for the LDAP configuration.
Map the AD attribute Department to the Cisco attribute IETF-Radius-Class:
hostname(config)# ldap attribute-map group_policy hostname(config-ldap-attribute-map)# map-name Department IETF-Radius-Class
Associate the LDAP attribute map to the AAA server.
Enter the aaa server host configuration mode for the host 10.1.1.2 in the AAA server group MS_LDAP, and associate the attribute map group_policy that you previously created:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2 hostname(config-aaa-server-host)# ldap-attribute-map group_policy
Add the group-policy, Group-policy-1 as entered in the Department field on the server, on the ASA and configure the required policy attributes that will be assigned to the user:
hostname(config)# group-policy Group-policy-1 external server-group LDAP_demo hostname(config-aaa-server-group)#
Establish the VPN connection as the user would, and verify that the session inherits the attributes from Group-Policy1 (and any other applicable attributes from the default group-policy).
Monitor the communication between the ASA and the server by enabling the debug ldap 255 command from privileged EXEC mode. The following is sample output from this command, which has been edited to provide the key messages:
[29] Authentication successful for user1 to 10.1.1.2 [29] Retrieving user attributes from server 10.1.1.2 [29] Retrieved Attributes: [29] department: value = Group-Policy-1 [29] mapped to IETF-Radius-Class: value = Group-Policy-1
Enforce Static IP Address Assignment for AnyConnect Tunnels
This example applies to full-tunnel clients, such as the IPsec client and the SSL VPN clients.
To enforce static AnyConnect static IP assignments configure the AnyConnect client user Web1 to receive a static IP address, enter the address in the Assign Static IP Address field of the Dialin tab on the AD LDAP server (this field uses the msRADIUSFramedIPAddress attribute), and create an attribute map that maps this attribute to the Cisco attribute IETF-Radius-Framed-IP-Address.
During authentication, the ASA retrieves the value of msRADIUSFramedIPAddress from the server, maps the value to the Cisco attribute IETF-Radius-Framed-IP-Address, and provides the static address to User1.
Procedure
Right-click the username, open the Properties dialog box then the Dial-in tab, check the Assign Static IP Address check box, and enter an IP address of 10.1.1.2.
Create an attribute map for the LDAP configuration shown.
Map the AD attribute msRADIUSFramedIPAddress used by the Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address:
hostname(config)# ldap attribute-map static_address hostname(config-ldap-attribute-map)# map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
Associate the LDAP attribute map to the AAA server.
Enter the aaa server host configuration mode for the host 10.1.1.2 in the AAA server group MS_LDAP, and associates the attribute map static_address that you previously created in:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2 hostname(config-aaa-server-host)# ldap-attribute-map static_address
Verify that the vpn-address-assignment command is configured to specify AAA by viewing this part of the configuration:
hostname(config)# show run all vpn-addr-assign vpn-addr-assign aaa > no vpn-addr-assign dhcp vpn-addr-assign local hostname(config)#
Establish a connection to the ASA with the AnyConnect client. Observe that the user receives the IP address configured on the server and mapped to the ASA.
Use the show vpn-sessiondb svc command to view the session details and verify the address assigned:
hostname# show vpn-sessiondb svc Session Type: SVC Username : web1 Index : 31 Assigned IP : 10.1.1.2 Public IP : 10.86.181.70 Protocol : Clientless SSL-Tunnel DTLS-Tunnel Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 304140 Bytes Rx : 470506 Group Policy : VPN_User_Group Tunnel Group : Group1_TunnelGroup Login Time : 11:13:05 UTC Tue Aug 28 2007 Duration : 0h:01m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : none
Enforce Dial-in Allow or Deny Access
This example creates an LDAP attribute map that specifies the tunneling protocols allowed by the user. You map the allow access and deny access settings on the Dialin tab to the Cisco attribute Tunneling-Protocol, which supports the following bitmap values:
