Anyconnect SSL VPN with ADS

1. MAP your AD Server in ASA:

aaa-server ADS protocol ldap
aaa-server ADS (outside) host 123.123.123.2
ldap-base-dn DC=vardhmaan,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password eve@12345
ldap-login-dn administrator@vardhmaan.com
server-type Microsoft

2. Verify LDAP Authentication is working fine

# debug ldap 255
# test aaa-server authentication ADS host 123.123.123.2 username administrator password
eve@12345
INFO: Authentication Successful
3. DHCP Scope for VPN users:
# ip local pool ITS_VPN 192.168.55.5-192.168.55.10 mask 255.255.255.0
4. Access list rules to allow access between 192.168.55.0/24 and 192.168.4.0/24:
# access-list SPLIT-TUNNEL extended permit ip 192.168.35.0 255.255.255.0 192.168.55.0 255.255.255.0
5. Create NAT rules:
object network ITS_VPN
subnet 192.168.55.0 255.255.255.0
 description ITS VPN network
object network LAN_INSIDE
subnet 192.168.35.0 255.255.255.0
description LAN

nat (inside,outside) source static LAN_INSIDE LAN_INSIDE destination static ITS_VPN ITS_VPN

6. Create Group-Policy/Tunnel-Group/ VPN profile:

# group-policy ITS_VPN_GP internal
# group-policy ITS_VPN_GP attributes
wins-server none
dns-server value 123.123.123.2
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value vardhmaan.com
# tunnel-group ITS_VPN_TG type remote-access
# tunnel-group ITS_VPN_TG general-attributes
address-pool ITS_VPN
authentication-server-group ADS
default-group-policy ITS_VPN_GP
# tunnel-group ITS_VPN_TG webvpn-attributes
group-alias ITS_VPN enable
7. Create Group OU in AD Server >> ITS

Create Object Group in AD Server under that OU >> IT Admins

Create User and set group membership >> IT Admins/test.it

LDAP Attribute Maps

ldap attribute-map IT-Admins
map-name memberOf Group-Policy
map-value memberOf CN=IT-Admins,OU=ITS,DC=vardhmaan,DC=com ITS_VPN_GP

dynamic-access-policy-record IT-Admins (AD Group)

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record VPN-Access

priority 10
New Group Policy – Gp_NO-ACCESS
group-policy gp_NO-ACCESS internal
group-policy gp_NO-ACCESS attributes
vpn-simultaneous-logins 0

Update the existing Group Policy (gp_ANYCONNECT) with vpn-simultaneous-logins

500 (the number of allowed VPN Session)
group-policy gp_ANYCONNECT attributes
dns-server value 123.123.123.2
vpn-simultaneous-logins 500

Change The Default Group Policy To

Tunnel Group
Modify the Tunnel-Group (prof_ANYCONNECT)
  To use AAA Group (AD) to authenticate AnyClient Client
 Change the Default Group Policy to gp_NO-ACCESS to DENY users who are not
member of VPN Group to login
tunnel-group prof_ANYCONNECT general-attributes
authentication-server-group AD LOCAL
default-group-policy gp_NO-ACCESS

Assign Ldap-Attribute-Map To AAA Group

Assign ldap-attribute-map (LDAP-VPN) to AAA Group (AD)
aaa-server AD protocol ldap
aaa-server AD (inside) host 10.10.10.230
ldap-attribute-map LDAP-VPN

Cisco AnyConnect VPN Login Based On

AD Group – Member Of VPN Group
Group Policy (gp_ANYCONNECT) is assigned to UAT1 who is member of VPN Group, and
UAT1 is login successfully.
[132] Connect to LDAP server: ldap://10.10.10.230:389, status = Successful
[132] Authentication successful for uat1 to 10.10.10.230
[132] memberOf: value = CN=VPN,OU=LAB,DC=mylab,DC=local
[132] mapped to Group-Policy: value = gp_ANYCONNECT
[132] mapped to LDAP-Class: value = gp_ANYCONNECT

Cisco AnyConnect VPN Login Based On

AD Group – Non-Member Of VPN Group
Group Policy (gp_NO-ACCESS) is assigned to UAT2 who is NOT member of VPN Group,
and UAT2 failed to connect with AnyConnect VPN Client