05-09-2022 12:55 AM
Hi ,
I am working in FW ASA ,
SSL-VPN integrated with AD ,and all users created in AD within specific group
how can I add new group to AD and match it in ASA
how can ASA know that group in ASA should got users from specific Group in AD
ju
Solved! Go to Solution.
05-10-2022 03:09 AM - edited 05-10-2022 03:11 AM
AD and ISE are completely different things. What I asked is if you are using ISE or searching the AD with LDAP directling from ASA
then you need to follow this instruction:
Then, I said that instead searching for group if dont make more sense add one group for VPN users and then look at this group only but if what work for you is search for a group on AD using LDAP from ASA.
"On the ASA, this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map. In order to use LDAP to assign a group policy to a user, you must map an LDAP attribute, such as the AD attribute memberOf to the Group-Policy attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.
Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy.""
05-09-2022 01:07 AM
If using LDAP, utilise an LDAP attribute map to map AD group.
https://integratingit.wordpress.com/2020/04/03/asa-remote-access-vpn-using-ldap/
05-09-2022 01:16 AM
@Rob Ingram
many thanks , can I know how to do it thru ASDM please
05-09-2022 01:19 AM
05-09-2022 01:25 AM
Hi
How are using the AD on this case? Are you using LDAP protocol on ASA or do you use ISE and then ISE integrates with AD?
Why does your vpn users can not just be on the vpn user group?
05-10-2022 02:12 AM
I am using AD not ISE , I just need to know how to match group in ASA with group in AD
05-10-2022 03:09 AM - edited 05-10-2022 03:11 AM
AD and ISE are completely different things. What I asked is if you are using ISE or searching the AD with LDAP directling from ASA
then you need to follow this instruction:
Then, I said that instead searching for group if dont make more sense add one group for VPN users and then look at this group only but if what work for you is search for a group on AD using LDAP from ASA.
"On the ASA, this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map. In order to use LDAP to assign a group policy to a user, you must map an LDAP attribute, such as the AD attribute memberOf to the Group-Policy attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.
Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy.""
05-10-2022 02:14 AM
@Rob Ingram
I have attached screen-shots , I can't see configuration for LDAP or Access dynamic ,
even we are using AD for all VPN users , is this because FW is context
05-10-2022 02:49 AM
@mautez_mah the screenshot is of the LDAP attribute map, which won't be configured.
Please provide your configuration for review, so we can determine what you have configured.
05-11-2022 02:58 AM
@Rob Ingram
Thanks ,
I did a group policy and Tunnel Group in ASA , could you please tell me what conf your asked me to shared
in AD I configured NPS for new group
Note : there are groups have already working fine and I tried to match all features either in AD or in ASA but still showing Login falied ,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide