ASA LDAP authentication only for specific Users Group

szczyrk80 · ‎01-26-2018

Hi All,

That problem has been mentioned couple of times but couldn't find an answer

My config:

aaa-server IAS_Internal_LDA protocol ldap
reactivation-mode depletion deadtime 5
aaa-server IAS_Internal_LDA (inside) host 10.0.10.162
ldap-base-dn DC=xxxxxxxxxxx,DC=loc
ldap-group-base-dn CN=xxxxxxxxx,OU=xxxxxxx,DC=xxxxxxx,DC=loc
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=xxxxxxxxx,DC=loc
server-type microsoft
ldap-attribute-map BBBB

ldap attribute-map BBBB
map-name memberOf IETF-Radius-Class
map-value memberOf CN=XXXX,OU=Support,DC=XXXXXX,DC=loc BBBB

Problem I have got is, LDAP authenticates all users instead of authenticating only members of XXXX group

I am not sure if I missed anything, we have got already undefined default dynamic group policy and other Radius authentications so didn't want to play with that, and not sure if it is necessary to implement DAP in this case

Thank you for your help,

Octavian Szolga · ‎01-26-2018

Hi,

You could implement DAP, but you didn't post your tunnel-group configuration.
The thing is (someone correct me if I'm wrong) that the ldap attribute map would simply apply to your session a group-policy (configured locally on the ASA) that has the name of the LDAP group you're in.

But, it you don't have any group-policy with that name, it will apply your default (whatever that is in your case) configured under the tunnel-group you're landing on. So I imagine your default group-policy would allow you to connect.

Thanks,

Octavian