Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2383
Views
5
Helpful
2
Replies

ASA5510 VPN authenticate AD group members

AlexSzigetvary
Level 1
Level 1

‎01-27-2011 05:35 AM - edited ‎03-10-2019 05:45 PM

Hi Forum,

is there a way to configure an AAA server for Active Directory so that just users that are a member of one certain Active Directory security group get authenticated?

I don't really know what attributes to map or if this is even possible.

I found this article, which I might use alternatively, but my preference would be to do it using the group membership.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

TIA

Alex

Labels:
0 Helpful
2 Replies 2

andamani
Cisco Employee
Cisco Employee

‎01-27-2011 05:37 PM

Hi Alex,

I guess you can define a LDAP aaa-server. Keep the base dn of the group from where you want the serach to happen i.e. group of which the users should authenticate. And keep the ldap-scope as subtree only.

There is no need to define a ldap attribute-map.

i think this should work.

Regards,

Anisha

P.S.: please mark this thread as resolved if you think your query is answered.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-27-2011 05:48 PM

Alex,


This is bit tricky, you must have LDAP-attribute map along with a Dummy group-polcicy (noaccess)


Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
address-pools none

ldap attribute-map LDAP-MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf

aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP

group-policy internal
group-policy attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value


.....
.....

tunnel-group type remote-access
tunnel-group general-attributes
authentication-server-group LDAP-AD
default-group-policy noaccess



This should work for sure. In case you see any unexpected results, get the below listed debugs.


debug ldap 255


Regds,

Jatin

Do rate helpful posts-

~Jatin
Customers Also Viewed These Support Documents