Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
0
Replies

ASA AD LDAP Authorization belonging to multiple groups

PeterLMSD
Level 1
Level 1

‎10-10-2024 06:49 PM

Running on a FP2130 with 9.18(4)34 but the same problem seems to occur on 9.18(4)40.

I am trying to have a user belonging to multiple groups map to a single ldap attribute-map mapping the memberOf a group to IETF-Radius-Class for the group policy.

The problem I seem to face has been documented a number of times elsewhere as there doesn't seem to be a consistent way to map membership of a AD Group to a particular role. Having tried a number of different things including renaming the groups to be in numeric order so they consistently show up in the running config in order but that doesn't seem to matter. It's all up to how AD returns the groups in the LDAP response as to how the ASA applies the group policy.

https://community.spiceworks.com/t/how-to-reorder-the-member-of-groups-in-a-users-ad-account/584350
https://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group/
https://www.petenetlive.com/KB/Article/0001152

I have a attribute-map of:

ldap attribute-map LAB_Cisco_To_AD
 map-name memberOf IETF-Radius-Class
 map-value memberOf "CN=VPN_1_Deny,OU=VPN,DC=lab,DC=local" GP-Deny
 map-value memberOf "CN=VPN_2_SecurePartner,OU=VPN,DC=lab,DC=local" GP-Partner
 map-value memberOf "CN=VPN_9_Allow,OU=VPN,DC=lab,DC=local" GP-Allow

The groups should be returned in order or applied in order but that doesn't seem to be the case as when I enable ldap debug I see this in the log.

[154] memberOf: value = CN=VPN_2_SecurePartner_Staff,OU=VPN,DC=lab,DC=local
[154] mapped to IETF-Radius-Class: value = GP-Partner
[154] mapped to LDAP-Class: value = GP-Partner
[154] memberOf: value = CN=VPN_3_SecurePartner,,OU=VPN,DC=lab,DC=local
[154] mapped to IETF-Radius-Class: value = GP-Partner
[154] mapped to LDAP-Class: value = GP-Partner
[154] memberOf: value = CN=AnotherGroup,ou=Groups,DC=lab,DC=local
[154] mapped to IETF-Radius-Class: value = CN=AnotherGroup,ou=Groups,DC=lab,DC=local
[154] mapped to LDAP-Class: value = CN=AnotherGroup,ou=Groups,DC=lab,DC=local
[154] memberOf: value = CN=VPN_9_Allowlist,OU=VPN,OU=Applications,OU=Security Gr
[154] mapped to IETF-Radius-Class: value = GP-Allow
[154] mapped to LDAP-Class: value = GP-Allow
[154] memberOf: value = CN=YetAnotherGroup,ou=Groups,DC=lab,DC=local
[154] mapped to IETF-Radius-Class: value = CN=YetAnotherGroup,ou=Groups,DC=lab,DC=local
[154] mapped to LDAP-Class: value = CN=YetAnotherGroup,ou=Groups,DC=lab,DC=local

It seems to me that whatever order the groups are returned in AD is the order that the ASA applies the group policy.

Any ideas how to resolve this? As I think using something other than LDAP is the only way.

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card