Cisco ASA – Anyconnect with AD Group Authentication

This post shows you how to configure Anyconnect with AD group authentication. i.e. Users must be part of a certain security group inside of AD in order to be authenticated on the Anyconnect client.

Below is the complete configuration. I will run through how it works underneath.

#### AD SECTION ####
aaa-server AD protocol ldap
aaa-server AD (inside) host
ldap-base-dn dc=google,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password $tr0ngP@$$w0rd
ldap-login-dn CN=CiscoASA,OU=Service Account,OU=UK,DC=test,DC=com
server-type microsoft
ldap-attribute-map MAP-ANYCONNECT-LOGIN

tunnel-group ANYCONNECT_TUNNEL type remote-access
tunnel-group ANYCONNECT_TUNNEL general-attributes
address-pool ANYCONNECT_POOL
authentication-server-group AD
default-group-policy NO_ACCESS
tunnel-group ANYCONNECT_TUNNEL webvpn-attributes
group-alias CORPORATE_USERS enable
group-url enable

group-policy NO_ACCESS internal
group-policy NO_ACCESS attributes
vpn-simultaneous-logins 0
group-policy ANYCONNECT_GROUP internal
group-policy ANYCONNECT_GROUP attributes
dns-server value
vpn-simultaneous-logins 500
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value
anyconnect keep-installer installed

ldap attribute-map MAP-ANYCONNECT-LOGIN
map-name memberOf Group-Policy
map-value memberOf CN=ANYCONNECT_USERS,OU=Groups,OU=UK,DC=google,DC=com ANYCONNECT_GROUP

enable outside
anyconnect image shared:/anyconnect-win-4.4.03034-webdeploy-k9.pkg
anyconnect enable
tunnel-group-list enable

How this code works?

When a user goes to the login page, and attempts to login & download the Anyconnect client, the tunnel-group “ANYCONNECT_TUNNEL” is called. The tunnel-group states that the firewall should use AD for authenticating users. The AD section basically authenticates the firewall to AD (with the username CiscoASA), so that it can make queries with AD to authenticate users. So, as part of the user authentication, it specifies an ldap attribute map, which is where we can state that the user must be part of a specific security group.

The attribute map states that users must be in the AD security group “ANYCONNECT_USERS”. This group is located in the domain at the location of If they are part of this security group, it calls the group-policy “ANYCONNECT_GROUP”. This then sets the permissions for the Anyconnect client.

If the user is not part of this AD security group, the process changes. So when the tunnel-group calls AD, the attribute-map section fails, which causes the process to go back to the tunnel-group ANYCONNECT_TUNNEL, and hit the default-group-policy “NO_ACCESS”. This group-policy then states that zero users are permitted to login via this process.

The Gotchas

Things to watch out for when configuring this:

In the ATTRIBUTE-MAP section, the “memberOf” is a capital O. The cli allows you to put a lower case o, and nothing will work if you make this mistake.
The vpn-simultaneous-logins command is required on both the NO_ACCESS group-policy as well as the ANYCONNECT_GROUP group-policy. Failure to specify a number in the ANYCONNECT_GROUP group-policy can cause the “vpn-simultaneous-logins 0” setting to be inherited, causing login issues.


Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Become a member

Full Access to 739 Lessons. New Lessons Added Every Week!

Awesome Deal! Get 2 Months for FREE!

No Obligations. Cancel At Any Time!