Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2362
Views
0
Helpful
5
Replies

Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

charlesriley
Level 1
Level 1

‎04-27-2014 06:40 PM - edited ‎03-10-2019 09:40 PM

I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.

The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.

 

Can some one please advise?

CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

 

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎04-28-2014 07:12 AM

Yeah It does work!  All you need to have the DN with spaces in quotes like this:

ldap attribute-map LDAP-MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL" <Group Policy Name>

This will make the DN as a single entity and will not truncate when it read spaces.

In case you want to verify the same, run debug ldap 255 and look into it.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

charlesriley
Level 1
Level 1
In response to Jatin Katyal

‎04-28-2014 04:18 PM

I have tried it with the quotes as suggested and it still does not work.  I wonder if I have something else wrong, though I have checked and rechecked the DN strings and configuration repeatedly.

 

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to charlesriley

‎04-28-2014 08:02 PM

We can troubleshoot this issue. Please provide me the following outputs:

show run aaa-server

show run ldap

Turn on "debug ldap 255" and reproduce the issue. Paste the output here.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

Herlander Stock
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2014 12:19 PM

I having the same problem. I have a windows 2003 using RADIUS, but when using LDAP doesn't work. I got the error: Authentication Server not responding: AAA server has been removed

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Herlander Stock

‎06-06-2014 01:01 PM

Please provide the same information:

show run aaa-server

show run ldap

Turn on "debug ldap 255" and reproduce the issue. Paste the output here.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents