06-01-2012 03:25 AM - edited 03-10-2019 07:09 PM
We are facing a issue when implementing LDAP authetication authorization for our remote access VPN for different Groups in Active Directory.
For example: we have 3 different groups in AD like ITstaff, accounting, admin and if we want to connect for ITstaff group using a username XXX, the ldap authetication and authorization was successful and vpn tunnel is established. And if The username XXX is memberOf all the groups like ITstaff. accounting, admin then the problem rise to have a VPN tunnel using the same username for different AD groups.
Suppose if I try to connect for accounting groups using same username XXX, authentication and authorization shows successful and shows the following log messages:
AAA user authorization Successful : server = a.b.c.d : user = XXX
AAA group policy for user XXX is being set to ITstaff ----> although it should accounting
AAA retrieved user specific group policy (ITstaff) for user = XXX
AAA retrieved default group policy (accounting) for user = XX
AAA transaction status ACCEPT : user = XXX
DAP: User XXX, Addr e.f.g.h, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
Group = accounting, Username = XXX, IP = e.f.g.h, Tunnel Rejected: User (XXX) not member of group (accounting), group-lock check failed.
SSL session with server outside:.. terminated.
So it shows that the tunnel is rejected because the user XXX is not a memberOf group (accounting) which is not true.
Please help me.
Thanks,
06-04-2012 06:19 AM
Hi
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Hth
Herbert
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide