cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

24043
Views
55
Helpful
19
Replies
guzman.barrio
Beginner

LDAP on ASA with attribute-map

Hi all,

I'm having problems configuring VPN clients authentication against an LDAP server.  The main problem is when the ASA has to decide a group-policy for the non-compliance users.

I use LDAP attribute-maps in the ASA to map the memberOf parameter to the Cisco Group-policy attribute, then I associate memberOf with the AD group that the user must belong to has VPN access and the rigth group-policy.  This works correctly.

But the problem is when the remote user isn't in the correct AD group, I set a default-policy-group with no access to this kind of users.  After that, all the users (allowed and not allowed) fall in the same default-group-policy with no VPN access.

There is the ASA configuration:

ldap attribute-map LDAP
  map-name  memberOf Group-Policy
  map-value memberOf "cn=ASA_VPN,ou=ASA_VPN,ou=My Group,dc=xxx,dc=com" RemoteAccess

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.0.0.3
ldap-base-dn ou="My Group", dc=xxx, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=user, ou="My Group", dc=xxx, dc=com
server-type microsoft
ldap-attribute-map LDAP

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0

group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 10.0.0.3
vpn-tunnel-protocol IPSec
default-domain value xxx.com

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool POOL
authentication-server-group LDAP
default-group-policy NOACCESS
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *******

As you can see, I have followed all the examples availables in the web to solve the problem but I can't obtain a good result.

Somebody has an solution for this problem????

Regards,

               Guzmán

19 REPLIES 19

I'm pleased that you found the solution with this post, it's the idea

Rate the post if it was useful, to help other people find it quickly.

Regards,

            Guzmán

Hi,

I am having same problems. when I test, all account are mapped by match policy (check by debug) but user are unable to establish VPN connection.

can you upload your working config.

here is my config:

ASA-5545-X# sh running-config group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev2 ssl-client
group-policy DfltGrpPolicy attributes
dns-server value 10.11.50.3 10.11.50.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_TEST-VPN internal
group-policy GroupPolicy_TEST-VPN attributes
wins-server none
dns-server value 10.11.50.3 10.11.50.4
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value intra.uniri.hr
webvpn
anyconnect profiles value TEST-VPN_client_profile type user
ASA-5545-X#

THX,

Ivan

I have the same issue.

we have 5 groups profile.

we want the IT profile limit to IT account only in the AD. so no other group can access.

configured everything, not work. the debug shows no map message at all.

TAC found out the member of is case sensitive, it should be memberOf exactly.

after change the case, it start to catch the map, then every other group will match the noaccess default policy.

 

hope this help.

HI Guzman and Herbert.

Gr8 post thanks a lot, it helped me alot.

I was also stuck on the same memberOf problem.

I have now Implemented LDAP successfully.

Warm Regards
Fazleabbas

edeloscobos
Beginner

Excellent post ..! Exactly the same problem I had.

Thanks for the time you spent in documenting.

It's working now.!

Regards.

Eduardo

Content for Community-Ad