https://community.cisco.com/t5/network-access-control/asa-ldap-authentication-only-for-specific-users-group/m-p/3319727#M550478 <P>Hi All,</P> <P>That problem has been mentioned couple of times but couldn't find an answer</P> <P>My config:</P> <P>&nbsp;</P> <P>aaa-server IAS_Internal_LDA protocol ldap<BR /> reactivation-mode depletion deadtime 5<BR />aaa-server IAS_Internal_LDA (inside) host 10.0.10.162<BR /> ldap-base-dn DC=xxxxxxxxxxx,DC=loc<BR /> ldap-group-base-dn CN=xxxxxxxxx,OU=xxxxxxx,DC=xxxxxxx,DC=loc<BR /> ldap-scope subtree<BR /> ldap-naming-attribute sAMAccountName<BR /> ldap-login-password *****<BR /> ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxxxxx,DC=loc<BR /> server-type microsoft<BR /> ldap-attribute-map&nbsp;BBBB</P> <P>&nbsp;</P> <P>ldap attribute-map&nbsp;BBBB<BR /> map-name memberOf IETF-Radius-Class<BR /> map-value memberOf CN=XXXX,OU=Support,DC=XXXXXX,DC=loc&nbsp;BBBB</P> <P>&nbsp;</P> <P>Problem I have got is, LDAP authenticates all users instead of authenticating only members of XXXX group</P> <P>&nbsp;</P> <P>I am not sure if I missed anything, we have got already undefined default dynamic group policy and other Radius authentications so didn't want to play with that, and not sure if it is necessary to implement DAP in this case</P> <P>&nbsp;</P> <P>Thank you for your help,</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:44:18 GMT szczyrk80 2020-02-21T18:44:18Z https://community.cisco.com/t5/network-access-control/asa-ldap-authentication-only-for-specific-users-group/m-p/3319727#M550478 <P>Hi All,</P> <P>That problem has been mentioned couple of times but couldn't find an answer</P> <P>My config:</P> <P>&nbsp;</P> <P>aaa-server IAS_Internal_LDA protocol ldap<BR /> reactivation-mode depletion deadtime 5<BR />aaa-server IAS_Internal_LDA (inside) host 10.0.10.162<BR /> ldap-base-dn DC=xxxxxxxxxxx,DC=loc<BR /> ldap-group-base-dn CN=xxxxxxxxx,OU=xxxxxxx,DC=xxxxxxx,DC=loc<BR /> ldap-scope subtree<BR /> ldap-naming-attribute sAMAccountName<BR /> ldap-login-password *****<BR /> ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxxxxx,DC=loc<BR /> server-type microsoft<BR /> ldap-attribute-map&nbsp;BBBB</P> <P>&nbsp;</P> <P>ldap attribute-map&nbsp;BBBB<BR /> map-name memberOf IETF-Radius-Class<BR /> map-value memberOf CN=XXXX,OU=Support,DC=XXXXXX,DC=loc&nbsp;BBBB</P> <P>&nbsp;</P> <P>Problem I have got is, LDAP authenticates all users instead of authenticating only members of XXXX group</P> <P>&nbsp;</P> <P>I am not sure if I missed anything, we have got already undefined default dynamic group policy and other Radius authentications so didn't want to play with that, and not sure if it is necessary to implement DAP in this case</P> <P>&nbsp;</P> <P>Thank you for your help,</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:44:18 GMT https://community.cisco.com/t5/network-access-control/asa-ldap-authentication-only-for-specific-users-group/m-p/3319727#M550478 szczyrk80 2020-02-21T18:44:18Z https://community.cisco.com/t5/network-access-control/asa-ldap-authentication-only-for-specific-users-group/m-p/3319966#M550480 <P>Hi,</P> <P>&nbsp;</P> <P>You could implement DAP, but you didn't post your tunnel-group configuration. <BR />The thing is (someone correct me if I'm wrong) that the ldap attribute map would simply apply to your session a group-policy (configured locally on the ASA) that has the name of the LDAP group you're in.</P> <P>But, it you don't have any group-policy with that name, it will apply your default (whatever that is in your case) configured under the tunnel-group you're landing on. So I imagine your default group-policy would allow you to connect.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Octavian</P> Fri, 26 Jan 2018 20:50:25 GMT https://community.cisco.com/t5/network-access-control/asa-ldap-authentication-only-for-specific-users-group/m-p/3319966#M550480 Octavian Szolga 2018-01-26T20:50:25Z