topic Hello anersantana,I've done in Network Security https://community.cisco.com/t5/network-security/ldap-atribute-map/m-p/2518234#M237855 <P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Hello anersantana,</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">I've done this many times. Please use the below listed configuration and let me know how it goes.</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Configuration for restricting access to a particular windows group on AD</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">group-policy noaccess internal<BR />group-policy noaccess attributes<BR />&nbsp;vpn-simultaneous-logins 0<BR />&nbsp;address-pools none</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">&nbsp;ldap attribute-map LDAP-MAP<BR />&nbsp; map-name &nbsp;memberOf IETF-Radius-Class<BR />&nbsp; map-value memberOf &lt;DN of the VPN group&gt; &lt;Group Policy Name&gt;</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">aaa-server LDAP-AD protocol ldap<BR />aaa-server LDAP-AD host &lt;IP-of-Windows-AD&gt;<BR />&nbsp;server-port 389<BR />&nbsp;ldap-base-dn &lt;AD base DN&gt;<BR />&nbsp;ldap-scope subtree<BR />&nbsp;ldap-naming-attribute sAMAccountName<BR />&nbsp;ldap-login-dn &lt;login user DN&gt;<BR />&nbsp;ldap-login-password &lt;password for login user DN&gt;<BR />&nbsp;server-type microsoft<BR />&nbsp;ldap-attribute-map LDAP-MAP</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">group-policy &lt;Group Policy Name&gt; internal<BR />group-policy &lt;Group Policy Name&gt; attributes<BR />&nbsp;vpn-simultaneous-logins 3<BR />&nbsp;vpn-tunnel-protocol IPSec l2tp-ipsec ...<BR />&nbsp;address-pools value &lt;Address Pool Name&gt;<BR />&nbsp;.....<BR />&nbsp;.....</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">tunnel-group &lt;Tunnel group name&gt; type remote-access<BR />tunnel-group &lt;Tunnel group name&gt; general-attributes<BR />&nbsp;authentication-server-group LDAP-AD<BR />&nbsp;default-group-policy noaccess</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Regards,</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Jatin Katyal</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">** Do rate helpful posts **</SPAN></SPAN></P> Sat, 07 Jun 2014 22:25:42 GMT Jatin Katyal 2014-06-07T22:25:42Z ldap atribute map https://community.cisco.com/t5/network-security/ldap-atribute-map/m-p/2518233#M237853 <P>I ve read so far like 100 different Discussion, about how to restring vpn users &nbsp;authentication to some active directory. If not part of the Active Directory Group call "vpn-group", cant connect.</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;I cannot find any guide that allow me to log users only if is on group. Some article say I have to use&nbsp;<SPAN style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: normal;">IETF-Radius-Class, other Group_Policy, on Ldap attribute map.<SPAN style="font-size:14px;">&nbsp;Actually Im confuse cuz some articles like this:&nbsp;</SPAN></SPAN><A href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html&nbsp;" target="_blank">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html&nbsp;</A> but on other article say use Group_policy instead. I wish someone give me someone who has really done this. Give me some pdf guide or something alike.&nbsp;</P><P>: ( I have one week try to do this and just does not work. It like is not seen atributte map, Cuz all users are been authenticated. I have asa version 9.1.2.</P><P>&nbsp;</P><P>&nbsp;</P><P>Need help!!!!!!!!!</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:17:33 GMT https://community.cisco.com/t5/network-security/ldap-atribute-map/m-p/2518233#M237853 anersantana 2019-03-12T04:17:33Z Hello anersantana,I've done https://community.cisco.com/t5/network-security/ldap-atribute-map/m-p/2518234#M237855 <P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Hello anersantana,</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">I've done this many times. Please use the below listed configuration and let me know how it goes.</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Configuration for restricting access to a particular windows group on AD</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">group-policy noaccess internal<BR />group-policy noaccess attributes<BR />&nbsp;vpn-simultaneous-logins 0<BR />&nbsp;address-pools none</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">&nbsp;ldap attribute-map LDAP-MAP<BR />&nbsp; map-name &nbsp;memberOf IETF-Radius-Class<BR />&nbsp; map-value memberOf &lt;DN of the VPN group&gt; &lt;Group Policy Name&gt;</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">aaa-server LDAP-AD protocol ldap<BR />aaa-server LDAP-AD host &lt;IP-of-Windows-AD&gt;<BR />&nbsp;server-port 389<BR />&nbsp;ldap-base-dn &lt;AD base DN&gt;<BR />&nbsp;ldap-scope subtree<BR />&nbsp;ldap-naming-attribute sAMAccountName<BR />&nbsp;ldap-login-dn &lt;login user DN&gt;<BR />&nbsp;ldap-login-password &lt;password for login user DN&gt;<BR />&nbsp;server-type microsoft<BR />&nbsp;ldap-attribute-map LDAP-MAP</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">group-policy &lt;Group Policy Name&gt; internal<BR />group-policy &lt;Group Policy Name&gt; attributes<BR />&nbsp;vpn-simultaneous-logins 3<BR />&nbsp;vpn-tunnel-protocol IPSec l2tp-ipsec ...<BR />&nbsp;address-pools value &lt;Address Pool Name&gt;<BR />&nbsp;.....<BR />&nbsp;.....</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">tunnel-group &lt;Tunnel group name&gt; type remote-access<BR />tunnel-group &lt;Tunnel group name&gt; general-attributes<BR />&nbsp;authentication-server-group LDAP-AD<BR />&nbsp;default-group-policy noaccess</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Regards,</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Jatin Katyal</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family:verdana,geneva,sans-serif;">** Do rate helpful posts **</SPAN></SPAN></P> Sat, 07 Jun 2014 22:25:42 GMT https://community.cisco.com/t5/network-security/ldap-atribute-map/m-p/2518234#M237855 Jatin Katyal 2014-06-07T22:25:42Z