Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3613
Views
20
Helpful
7
Replies

LDAP Authentication Issues

Go to solution
Alexander Deems
Level 1
Level 1

‎05-01-2013 08:27 AM - edited ‎03-10-2019 08:22 PM

Hello,

I am able to get LDAP Authentication working for the VPN, but when I go to test a user that is not defined in the VPN group within AD, they are still able to authenticate and are granted access to the VPN. I am at a loss as to what the actual issue is because everything appears to be defined properly.

I have attached the ldap debug logs for a user that is working properly and a user that is not working properly. My understanding is that they should only be able to authenticate against this one group JOB_ADMINS_VPN and if they are not in this group then they should be denied VPN login rights.

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

aaa-server JOB_ADMINS protocol ldap

aaa-server JOB_ADMINS (Prod) host 10.5.1.11

ldap-base-dn DC=test,DC=net

ldap-group-base-dn OU=VPN,DC=test,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=saVPNLDAP,CN=Users,DC=test,DC=net

server-type microsoft

ldap-attribute-map JOB_ADMIN_MAP

I am sure I am missing something small, but I am not sure what I am missing. Any help with this issue will be grately apperciated.

Thank you!

Labels:
15359479-LDAP_VPN_2.txt.zip
15359480-LDAP_VPN_1.txt.zip
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-01-2013 08:37 AM

Please review the below listed config and see what you are missing else share  "sh run" from the ASA.

Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

.....

.....

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

!

!

group-policy noaccess attributes

vpn-simultaneous-logins 0

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Alexander Deems

‎05-01-2013 09:50 AM

Here is what you need:

Under ldap attribute map you have group-policy name incorrectly configured. It should be JOB_ADMINS_GRP

-------------------------------------------------

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

--------------------------------------------------

In the noaccess group policy simultaneous sessions should be set to 0

-------------------------------------------

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

In the tunnel-group set the default-group-policy as  noaccess because legimitate users should get the right group through ldap attribute map.

------------------------------------------------------------------

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy noaccess

In case it doesn't work....run the debug ldap 255 and send the debugs and new ldap config again.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Alexander Deems

‎05-01-2013 02:21 PM

Looking at the debugs, I don't see user getting the right group-policy.

The authentication will be successfull but the group retrieval noaccess will do the trick as we have simultaneous session set to 0.

[41476] memberOf: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] memberOf: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] uSNChanged: value = 5332833

One more change and you will be good to go.

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS_GRP

In the above config replace 

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS_GRP

with 

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net JOB_ADMINS_GRP

NOTE: The d in dc=net is in smaller case. However your ldap says it should be in upper case.

Jatin Katyal


- Do rate helpful posts -

JOB_ADMINS_GRP
~Jatin

View solution in original post

7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-01-2013 08:37 AM

Please review the below listed config and see what you are missing else share  "sh run" from the ASA.

Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

.....

.....

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

!

!

group-policy noaccess attributes

vpn-simultaneous-logins 0

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
Alexander Deems
Level 1
Level 1
In response to Jatin Katyal

‎05-01-2013 09:34 AM

Jatin,

I have setup the noaccess policy and made it the default policy under the tunnel-group but both users are still able to authenticate against the LDAP server. I have posted the relevate configurations that I have for the LDAP configuration.

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.5.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.7.12.0 255.255.254.0

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.64 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.0 255.255.255.224

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.10.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.40.4.0 255.255.255.240

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.11.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.14.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.2.0 255.255.254.0

ip local pool server-mgmt_Admins2 10.5.22.2-10.5.22.254 mask 255.255.255.0

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

dynamic-access-policy-record DfltAccessPolicy

aaa-server JOB_ADMINS protocol ldap

aaa-server JOB_ADMINS (Prod) host 10.5.1.11

ldap-base-dn DC=test,DC=net

ldap-group-base-dn OU=VPN,DC=test,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=saVPNLDAP,CN=Users,DC=test,DC=net

server-type microsoft

ldap-attribute-map JOB_ADMIN_MAP

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

group-policy JOB_ADMINS_GRP internal

group-policy JOB_ADMINS_GRP attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol ikev1

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value JOB_ADMINS_splitTunnelAcl

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy JOB_ADMINS_GRP

tunnel-group JOB_ADMINS ipsec-attributes

ikev1 pre-shared-key *****

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Alexander Deems

‎05-01-2013 09:50 AM

Here is what you need:

Under ldap attribute map you have group-policy name incorrectly configured. It should be JOB_ADMINS_GRP

-------------------------------------------------

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS

--------------------------------------------------

In the noaccess group policy simultaneous sessions should be set to 0

-------------------------------------------

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

In the tunnel-group set the default-group-policy as  noaccess because legimitate users should get the right group through ldap attribute map.

------------------------------------------------------------------

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy noaccess

In case it doesn't work....run the debug ldap 255 and send the debugs and new ldap config again.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Alexander Deems
Level 1
Level 1
In response to Jatin Katyal

‎05-01-2013 01:40 PM

Jatin,

I have made the changes that you have mentioned, but now  I am not able to authenticate with either account but they are showing  both as successful when looking at the debug logs of ldap. If I look at  the logs after beign authenticated they are both being applied to the  noaccess policy.

Config:

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.5.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.7.12.0 255.255.254.0

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.64 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.6.1.0 255.255.255.224

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.10.0 255.255.255.192

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.40.4.0 255.255.255.240

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.11.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.1.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 204.90.21.0 255.255.255.0

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.128 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.14.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.4.0 255.255.255.128

access-list JOB_ADMINS_splitTunnelAcl standard permit 10.5.2.0 255.255.254.0

ip local pool server-mgmt_Admins2 10.5.22.2-10.5.22.254 mask 255.255.255.0

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS_GRP

dynamic-access-policy-record DfltAccessPolicy

aaa-server JOB_ADMINS protocol ldap

aaa-server JOB_ADMINS (Prod) host 10.5.1.11

ldap-base-dn DC=test,DC=net

ldap-group-base-dn OU=VPN,DC=test,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=saVPNLDAP,CN=Users,DC=test,DC=net

server-type microsoft

ldap-attribute-map JOB_ADMIN_MAP

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

address-pools none

group-policy JOB_ADMINS_GRP internal

group-policy JOB_ADMINS_GRP attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol ikev1

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value JOB_ADMINS_splitTunnelAcl

tunnel-group JOB_ADMINS type remote-access

tunnel-group JOB_ADMINS general-attributes

address-pool server-mgmt_Admins2

authentication-server-group JOB_ADMINS

default-group-policy noaccess

tunnel-group JOB_ADMINS ipsec-attributes

ikev1 pre-shared-key *****

!

debug ldap 22 55

debug ldap  enabled at level 255

User that should have access:

3|May  01 2013|20:12:02|713167|||||Group = JOB_ADMINS, Username = testuser1,  IP = 99.3.21.69, Remote peer has failed user authentication -  check  configured username and password

6|May 01 2013|20:12:02|713905|||||Group = JOB_ADMINS,  Username = testuser1, IP = 99.3.21.69, Login authentication failed due  to max simultaneous-login restriction.

6|May 01 2013|20:12:02|113013|||||AAA unable to complete the  request Error : reason = Simultaneous logins exceeded for user : user =  testuser1

6|May 01 2013|20:12:02|113009|||||AAA retrieved default group policy (noaccess) for user = testuser1

6|May 01 2013|20:12:02|113004|||||AAA user authentication Successful : server =  10.5.1.11 : user = testuser1

[41476] Session Start

[41476] New request Session, context 0x756ea2c4, reqType = Authentication

[41476] Fiber started

[41476] Creating LDAP context with uri=ldap://10.5.1.11:389

[41476] Connect to LDAP server: ldap://10.5.1.11:389, status = Successful

[41476] supportedLDAPVersion: value = 3

[41476] supportedLDAPVersion: value = 2

[41476] Binding as saVPNLDAP

[41476] Performing Simple authentication for saVPNLDAP to 10.5.1.11

[41476] LDAP Search:

Base DN = [DC=test,DC=net]

Filter  = [sAMAccountName=testuser1]

Scope   = [SUBTREE]

[41476] User DN = [CN=test user1,CN=Users,DC=test,DC=net]

[41476] Talking to Active Directory server 10.5.1.11

[41476] Reading password policy for testuser1, dn:CN=test user1,CN=Users,DC=test,DC=net

[41476] Read bad password count 0

[41476] Binding as testuser1

[41476] Performing Simple authentication for testuser1 to 10.5.1.11

[41476] Processing LDAP response for user testuser1

[41476] Message (testuser1):

[41476] Authentication successful for testuser1 to 10.5.1.11

[41476] Retrieved User Attributes:

[41476] objectClass: value = top

[41476] objectClass: value = person

[41476] objectClass: value = organizationalPerson

[41476] objectClass: value = user

[41476] cn: value = test user1

[41476] sn: value = user1

[41476] givenName: value = test

[41476] distinguishedName: value = CN=test user1,CN=Users,DC=test,DC=net

[41476] instanceType: value = 4

[41476] whenCreated: value = 20120806180638.0Z

[41476] whenChanged: value = 20130423133440.0Z

[41476] displayName: value = test user1

[41476] uSNCreated: value = 801795

[41476] memberOf: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] memberOf: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] uSNChanged: value = 5332833

[41476] name: value = test user1

[41476] objectGUID: value = ^=.R ..G..l.v...

[41476] userAccountControl: value = 4260352

[41476] badPwdCount: value = 0

[41476] codePage: value = 0

[41476] countryCode: value = 0

[41476] badPasswordTime: value = 130118986766771866

[41476] lastLogoff: value = 0

[41476] lastLogon: value = 130118986798595922

[41476] pwdLastSet: value = 130102536223967367

[41476] primaryGroupID: value = 513

[41476] objectSid: value = ............WM...~..$9......

[41476] adminCount: value = 1

[41476] accountExpires: value = 9223372036854775807

[41476] logonCount: value = 123

[41476] sAMAccountName: value = testuser1

[41476] sAMAccountType: value = 805306368

[41476] userPrincipalName: value = testuser1@test.net

[41476] lockoutTime: value = 0

[41476] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=net

[41476] dSCorePropagationData: value = 20120806185439.0Z

[41476] dSCorePropagationData: value = 16010101000000.0Z

[41476] lastLogonTimestamp: value = 130111976655441174

[41476] msDS-SupportedEncryptionTypes: value = 0

[41476] Fiber exit Tx=593 bytes Rx=2990 bytes, status=1

[41476] Session End

User that should not have access:

6|May  01 2013|20:28:58|713905|||||Group = JOB_ADMINS, Username =testuser2 ,  IP = 99.3.21.69, Login authentication failed due to max   simultaneous-login restriction.

6|May 01 2013|20:28:58|113013|||||AAA unable to complete the   request Error : reason = Simultaneous logins exceeded for user : user =  testuser2

6|May 01 2013|20:28:58|113009|||||AAA retrieved default group policy (noaccess) for user = testuser2

6|May 01 2013|20:28:58|113004|||||AAA user authentication Successful : server =  10.5.1.11 : user = testuser2

[41478] Session Start

[41478] New request Session, context 0x756ea2c4, reqType = Authentication

[41478] Fiber started

[41478] Creating LDAP context with uri=ldap://10.5.1.11:389

[41478] Connect to LDAP server: ldap://10.5.1.11:389, status = Successful

[41478] supportedLDAPVersion: value = 3

[41478] supportedLDAPVersion: value = 2

[41478] Binding as saVPNLDAP

[41478] Performing Simple authentication for saVPNLDAP to 10.5.1.11

[41478] LDAP Search:

Base DN = [DC=test,DC=net]

Filter  = [sAMAccountName=testuser2]

Scope   = [SUBTREE]

[41478] User DN = [CN=test user2,CN=Users,DC=test,DC=net]

[41478] Talking to Active Directory server 10.5.1.11

[41478] Reading password policy for testuser2, dn:CN=test user2,CN=Users,DC=test,DC=net

[41478] Read bad password count 0

[41478] Binding as testuser2

[41478] Performing Simple authentication for testuser2 to 10.5.1.11

[41478] Processing LDAP response for user testuser2

[41478] Message (testuser2):

[41478] Authentication successful for testuser2 to 10.5.1.11

[41478] Retrieved User Attributes:

[41478] objectClass: value = top

[41478] objectClass: value = person

[41478] objectClass: value = organizationalPerson

[41478] objectClass: value = user

[41478] cn: value = test user2

[41478] sn: value = user2

[41478] givenName: value = test

[41478] distinguishedName: value = CN=test user2,CN=Users,DC=test,DC=net

[41478] instanceType: value = 4

[41478] whenCreated: value = 20130430211013.0Z

[41478] whenChanged: value = 20130430211855.0Z

[41478] displayName: value = test user2

[41478] uSNCreated: value = 5521902

[41478] uSNChanged: value = 5522087

[41478] name: value = test user2

[41478] objectGUID: value = .$....CI._M..!..

[41478] userAccountControl: value = 512

[41478] badPwdCount: value = 0

[41478] codePage: value = 0

[41478] countryCode: value = 0

[41478] badPasswordTime: value = 130118938289218719

[41478] lastLogoff: value = 0

[41478] lastLogon: value = 130118938313398762

[41478] pwdLastSet: value = 130118301831344840

[41478] primaryGroupID: value = 513

[41478] objectSid: value = ............WM...~..$9..C...

[41478] accountExpires: value = 9223372036854775807

[41478] logonCount: value = 0

[41478] sAMAccountName: value = testuser2

[41478] sAMAccountType: value = 805306368

[41478] userPrincipalName: value = testuser2@test.net

[41478] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=net

[41478] dSCorePropagationData: value = 20130430211855.0Z

[41478] dSCorePropagationData: value = 16010101000000.0Z

[41478] lastLogonTimestamp: value = 130118303181995212

[41478] Fiber exit Tx=599 bytes Rx=2769 bytes, status=1

[41478] Session End

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Alexander Deems

‎05-01-2013 02:21 PM

Looking at the debugs, I don't see user getting the right group-policy.

The authentication will be successfull but the group retrieval noaccess will do the trick as we have simultaneous session set to 0.

[41476] memberOf: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net

[41476] memberOf: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to Group-Policy: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=test,DC=net

[41476] uSNChanged: value = 5332833

One more change and you will be good to go.

ldap attribute-map JOB_ADMIN_MAP

  map-name  memberOf Group-Policy

  map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS_GRP

In the above config replace 

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,dc=net JOB_ADMINS_GRP

with 

map-value memberOf CN=JOB_ADMINS_VPN,OU=VPN,DC=test,DC=net JOB_ADMINS_GRP

NOTE: The d in dc=net is in smaller case. However your ldap says it should be in upper case.

Jatin Katyal


- Do rate helpful posts -

JOB_ADMINS_GRP
~Jatin

Go to solution
Alexander Deems
Level 1
Level 1
In response to Jatin Katyal

‎05-02-2013 06:46 AM

Jatin,

Awesome! Thank you for your help on this issue and after a few changes it is working perfectly.

Thank you,

Alex

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Alexander Deems

‎05-02-2013 07:54 AM

Amazing!!!

Just wanted to know let you know that I have added a PPT  setting up LDAP on ASA

Here is a link for your refrence. It may help you further while working on this issue.

https://supportforums.cisco.com/docs/DOC-32670

Jatin Katyal


- Do rate helpful posts -

~Jatin
Customers Also Viewed These Support Documents