Thursday, 13 February 2014

Cisco ASA 5520 VPN - Locked down to Active Directory group

We recently had a requirement to secure our VPN used by staff, to only allow those who are a member of an Active Directory group to connect. This sounds like a pretty straightforward thing to accomplish, but i struggled with this for a few hours.

I found that there are several ways of doing this. I found out the easiest and best way, only after attempting the more complex method.


Before we configure the ASA, we need to create and know few things in Active Directory.
  • Create a NEW user account, with no special rights, just a Domain User - Call this "Bind" as it will be used to bind to AD using LDAP.
  • Create a group called VPN and add the users who are permitted to access VPN into it.
  • Find the DN (Distinguished Name) of the "Bind" AD user. 
    1. Load an Administrative command prompt and run the command below.   

    2. dsquery user -name {username}

    3. You will end up with the following response. 

    4. CN=Bind,OU=VPN,OU= Service Users,DC=domain,DC=local

    5. Make a note of this as we will need it later.

Create an LDAP Server

Next you need to logon to the Cisco ASDM for managing the ASA configuration via a GUI.

The first thing we need to complete is to add our AD domain controller to the ASA so that we can authenticate our users.
  1. Once logged in go to the Configuration tab. 
  2. From the left hand menu select Remote Access VPN.
  3. From the Remote Access VPN menu, select and expand AAA/Local Users.
  4. Next select AAA Server Groups.
  5. On the right click Add, and fill in the details as shown below.

6.  With your new AAA Server Group selected in the top pane, click Add on the right hand side in the pane below, to create a new Server inside our server group. Fill in the details for your LDAP server as shown below.

NOTE - The Naming Attribute is CAsE SenSiTiVE - sAMAccountName
NOTE - You will also need the DN we got from AD earlier for the Login DN field.

7. Click OK then click Apply.

Create a VPN Dynamic Access Policy

The next thing we need to do is setup who can and cannot access the VPN. We do this by creating a Dynamic Access Policy that says by default Deny All, then we create another and set it so that it allows users who are a memberof the VPN group we created earlier.

  1. Once logged in go to the Configuration tab. 
  2. From the left hand menu select Remote Access VPN.
  3. From the left hand menu select and expand Network (Client) Access.
  4. Then select Dynamic Access Polices.
  5. Select the policy with the name DfltAccessPolicy and click Edit on the right hand side.
  6. On the Action tab, change the Action to Terminate and click OK. As shown below.
  7. We have now set our Deny All.

8. Next from the right hand side select Add. 

9. Give the new policy a name & description.

10.  In the Selection Criteria section, on the left side click Add.

11. From the drop down list select LDAP. Then click the Get AD Groups button.

12. Search for the VPN group we created earlier and click OK. As shown below.Then OK again.

Create a Group Policy

Next we need to create a Cisco Group Policy (not Active Directory).
  1. Once logged in go to the Configuration tab. 
  2. From the left hand menu select Remote Access VPN.
  3. From the left hand menu select and expand Network (Client) Access.
  4. Click on Group Policies.
  5. Click Add.
  6. Give it a name, then expand More Options
  7. Untick Simultaneous Logins, and type the number of address or licences you have for VPN.
  8. On the left select Servers.
  9. Untick DNS Servers and type the DNS IP address for your clients.
  10. Expand More Options.
  11. Untick Default Domain and type in the default domain name.
  12. Click OK
  13. Then click Apply.

Modify Connection Profiles

The next step will depend on how your clients connect. We use the Cisco AnyConnect VPN client, so we will select the AnyConnect Connection Profile from the left menu. If you use IPsec use the IPsec Connection Profile. The process is very similar for both.

  1. The first thing we need to do is to create a new Connection profile.
  2. Click the Add button, above the list of default connection profiles.
  3. Give it a name and a single word Alias (your users will see this when they connect) As shown below.
  4. Select a Client Address Pool (you may need to create one), this is the IP address your VPN users will acquire when they connect.
  5. Next select a Default Group Policy which we created earlier.
  6. Click OK.

NOTE - Do not forget to SAVE the configuration!

Now test it with your users. :)

No comments:

Post a Comment