previous note
next note
We have several AnyConnect VPN tunnel groups on our ASAv.
Each tunnel group has its own authentication server group defined along with ldap attribute map.
The problem is that users who are not members of the LDAP IETF-Radius-Class are allowed to connect.
In following example, users who are not members of “CN=Sparck-VPN,OU=Sparck,OU=CBF Vendor Access,DC=cbf,DC=local” are allowed to access group-policy Corp_SPARCK_Policy
tunnel-group Corp_SPARCK type remote-access
tunnel-group Corp_SPARCK general-attributes
address-pool anyconnect-pool-corp
authentication-server-group Corp_SPARCK_LDAP
default-group-policy Corp_SPARCK_Policy
tunnel-group Corp_SPARCK webvpn-attributes
group-alias sparck enable
group-url https://rns.cocacolaflorida.com/sparck enable
group-url https://rnslb.cocacolaflorida.com/sparck enable
!
aaa-server Corp_SPARCK_LDAP protocol ldap
aaa-server Corp_SPARCK_LDAP (inside) host 10.15.8.31
ldap-base-dn dc=cbf, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn vpnauth@cbf.local
server-type microsoft
ldap-attribute-map Corp_SPARCK_Map
!
ldap attribute-map Corp_SPARCK_Map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=Sparck-VPN,OU=Sparck,OU=CBF Vendor Access,DC=cbf,DC=local" Corp_SPARCK_Policy
group-policy Corp_SPARCK_Policy internal
group-policy Corp_SPARCK_Policy attributes
dns-server value 10.15.8.31 10.14.8.31
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Corp_SPARCK_Filter
default-domain value cbf.local
split-tunnel-all-dns disable
address-pools value anyconnect-pool-corp
Not sure if I have any error or misconfiguration.
Thanks everyone for the help!