No announcement yet.

asa 5505 vpn and DAP policies

  • Filter
  • Time
  • Show
Clear All
new posts

  • asa 5505 vpn and DAP policies


    We have an ASA 5505 and its configured to use a Freeradius server that authenticates using openLDAP. I'm trying to configure Dynamic Access Policies to restrict access based upon what group a user belongs to. In LDAP I have an attribute called vpnaccess with values "systems" and "common". Also, I've created an LDAP Attribute Map mapping the vpnaccess to `Cisco IETF-Radius-Class', mapped the two attribute values to Cisco Attribute Values. I think this is where I get hung up. I created a DAP policy with a AAA Attribute: Radius.25 = vpnAccess. When I connect it doesn't select my DAP policy but falls through and selects the DflltAccessPolicy which I have configured to terminate the connection.

    Any ideas where I've gone wrong?

    Thanks in advance.

    Clients: SSL/AnyConnect
    ASDM: 6.2
    ASA: 8.2(1)

  • #2
    Re: asa 5505 vpn and DAP policies

    In ASDM under DAP I run Test Dynamic Access Policies...
    it selects the correct DAP policy "CiscoMapPolicy", but when I use a client it runs the DfltAccessPolicy.

    LUA session data tables:
    endpoint.application.clienttype = AnyConnect
    aaa.radius.25 = vpnAccess
    aaa.radius.1 = vpnAccess
    aaa.radius.4242 = vpnAccess = user-name = TGIVPN
    aaa.ldap.memberOf = systems
    aaa.ldap.vpnAccess = systems

    Selected DAP records

    The DAP policy contains the following attributes for user:
    1: action = continue

    The config :

    : Saved
    ASA Version 8.2(1)
    hostname ciscovpn
    enable password Yn8Esq3NcXIHL35v encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    name A- description vpnPool
    name ClassB description internal network
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    description External Interface
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group network RDP_static
    access-list inside_nat0_outbound extended permit ip ClassB A-
    access-list inside_nat0_outbound extended permit ip A- A-
    access-list outside_access_in extended permit icmp any any
    access-list IPSECTunnel_splitTunnelAcl standard permit A-
    pager lines 24
    logging enable
    logging buffer-size 1048576
    logging asdm-buffer-size 200
    logging console informational
    logging monitor informational
    logging asdm debugging
    logging class svc buffered debugging
    logging class csd buffered debugging
    logging class dap buffered debugging
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNPool A- mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    access-group outside_access_in in interface outside
    route outside 1
    route inside ClassB 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    ldap attribute-map CISCOMAP
    map-name vpnAccess IETF-Radius-Class
    map-value vpnAccess common TGIVPN
    map-value vpnAccess systems TGIVPN
    dynamic-access-policy-record DfltAccessPolicy
    user-message "Using Default Access Policy: Unable to connect."
    action terminate
    aaa-server Test-Radius protocol radius
    aaa-server Test-Radius (inside) host radius
    key xXxXxXxXx
    authentication-port 1812
    accounting-port 1813
    radius-common-pw xXxXxXxXx
    acl-netmask-convert auto-detect
    aaa authentication ssh console LOCAL
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet timeout 5
    ssh inside
    ssh outside
    ssh timeout 60
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    enable outside
    svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2 regex "Intel Mac OS X"
    svc image disk0:/anyconnect-macosx-powerpc-2.3.0185-k9.pkg 4 regex "PPC Mac OS X"
    svc image disk0:/anyconnect-macosx-powerpc-2.3.0185-k9.pkg 5 regex "PPC Mac OS X"
    svc image disk0:/anyconnect-linux-64-2.5.2019-k9.pkg 6 regex "Linux x86_64"
    svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 7
    svc enable
    tunnel-group-list enable
    group-policy SSLVPN internal
    group-policy SSLVPN attributes
    dns-server value 10.1.x.x 10.1.x.x
    vpn-simultaneous-logins 5
    vpn-tunnel-protocol svc
    address-pools value VPNPool
    customization value Custom_GI
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol webvpn
    group-policy TGISSLVPN internal
    group-policy TGISSLVPN attributes
    dns-server value 10.1.x.x 10.1.x.x
    vpn-tunnel-protocol svc
    group-lock value TGIVPN
    default-domain value
    address-pools value VPNPool
    group-policy sysvpngrp internal
    group-policy sysvpngrp attributes
    vpn-tunnel-protocol svc
    address-pools value VPNPool
    username pixi password CPM7w4UlbHTaR040 encrypted
    tunnel-group GIVPN type remote-access
    tunnel-group GIVPN general-attributes
    address-pool VPNPool
    authentication-server-group Test-Radius
    default-group-policy SSLVPN
    tunnel-group GIVPN webvpn-attributes
    customization Custom_GI
    group-alias VPN enable
    tunnel-group TGIVPN type remote-access
    tunnel-group TGIVPN general-attributes
    address-pool VPNPool
    authentication-server-group Test-Radius
    authorization-server-group Test-Radius
    default-group-policy TGISSLVPN
    tunnel-group TGIVPN webvpn-attributes
    group-alias TGIVPN enable
    tunnel-group sysvpn type remote-access
    tunnel-group sysvpn general-attributes
    address-pool VPNPool
    authentication-server-group Test-Radius
    default-group-policy sysvpngrp
    tunnel-group sysvpn webvpn-attributes
    group-alias sysvpn enable

    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

    Ran "debug dap trace" and "debug ldap 255" and this is what I get,

    DAP_TRACE: Username: jrock, = TGISSLVPN
    DAP_TRACE: Username: jrock, = jrock
    DAP_TRACE: Username: jrock, = TGIVPN
    DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"] = "TGISSLVPN";
    DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "jrock";
    DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "TGIVPN";
    DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "AnyConnect";
    DAP_TRACE: Username: jrock, Selected DAPs:
    DAP_TRACE: dap_request: memory usage = 35%
    DAP_TRACE: dap_process_selected_daps: selected 0 records
    DAP_TRACE: Username: jrock, dap_aggregate_attr: rec_count = 1
    DAP_TRACE: Username: jrock, dap_concat_fcn: [Using Default Access Policy: Unable to connect.] 47 5120
    DAP_TRACE: Username: jrock, Selected DAPs: DfltAccessPolicy
    DAP_TRACE: Username: jrock, DAP_close: D57A10A0

    Thanks again.


    • #3
      Re: asa 5505 vpn and DAP policies

      Could be your Radius server is NOT returning the proper value for IETF-Radius Type 25.

      On your ASA, try running "debug radius all" and look for the section regarding the IETF-Radius Type 25 (Class).

      On my ASA, this record looks like:

      Radius: Type = 25 (0x19) Class
      Radius: Length = 15 (0x0F)
      Radius: Value (String) = 
      6f 75 3d 56 50 4e 41 64 6d 69 6e 73 3b             |  ou=VPNAdmins;
      BTW: I would be interested if/when you find a solution to this. I currently do NOT use DAP in our ASA configuration. I simply configure our ASA to select and assign a connecting user to a group-policy based on the return value of IETF-Radius Class 25 record. This works great, but I would like to look at implmenting DAP in the future. The aggregation part of DAP looks interesting.


      • #4
        Re: asa 5505 vpn and DAP policies

        Ok, I'll give it a try and I'll report what I find.



        • #5
          Re: asa 5505 vpn and DAP policies

          I'm not getting a return value for Type 25. Any suggestion?


          • #6
            Re: asa 5505 vpn and DAP policies

            I am far from an expert on this subject, but based on the fact you are NOT seeing the IETF Class 25 value returned, I would say the backend database on your FreeRadius server needs to be examined to verify each "group" has an IETF class field "properly" defined.

            Sorry, thats all I have.


            • #7
              Re: asa 5505 vpn and DAP policies

              I looked over the radius server and checked the ldap attribute file and it seems to be right unless I need to add cisco IETF Class 25 in there.

              The radius server is production so I don't want to mess around with any of the config files. Also I felt I was really close in getting this working but my time is running out in getting this solution setup. Therefore, instead of using radius to proxy LDAP I'm going straight LDAP (Cisco ASA supports openLDAP ) and this seems to work with DAP as intended.

              I'll continue to research this issue but not at this time.

              Scowles thanks for all your time and efforts.