Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Problem if a user belongs from different AD Groups for Cisco ASA RA VPN using LDAP ( Authentication Authorization )

We are facing a issue when implementing LDAP authetication authorization for our remote access VPN for different Groups in Active Directory.

For example: we have 3 different groups in AD like ITstaff, accounting, admin and if we want to connect for ITstaff group using a username XXX, the ldap authetication and authorization was successful and vpn tunnel is established. And if The username XXX is memberOf all the groups like ITstaff. accounting, admin then the problem rise to have a VPN tunnel using the same username for different AD groups.

Suppose if I try to connect for accounting groups using same username XXX, authentication and authorization shows successful and shows the following log messages:

AAA user authorization Successful : server =  a.b.c.d : user = XXX

AAA group policy for user XXX is being set to ITstaff ----> although it should accounting

AAA retrieved user specific group policy (ITstaff) for user = XXX

AAA retrieved default group policy (accounting) for user = XX

AAA transaction status ACCEPT : user = XXX

DAP: User XXX, Addr e.f.g.h, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

Group = accounting, Username = XXX, IP = e.f.g.h, Tunnel Rejected: User (XXX) not member of group (accounting), group-lock check failed.

SSL session with server outside:.. terminated.

So it shows that the tunnel is rejected because the user XXX is not a memberOf group (accounting) which is not true.

Please help me.


Herbert Baerten
Cisco Employee


I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).

Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead



Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube