Re: LDAP Attribute map not selecting the correct Group-Policy(LAB SETUP).

Alfredcfc · ‎06-07-2020

Hello All,

I was setting up ldap-attribute mapping for having multiple group policies within one tunnel-group. But when i test the connection it fails to select any group-policy and fails since no IP address is being assigned.

The ldap-map is:

-----

ciscoasa# sh run ldap attribute-map
ldap attribute-map LDAP-VPN
map-name memberOf Group-Policy
map-value memberOf CN=VPN-External,OU=VPN-Internal,DC=EVELAB,DC=COM ra-external
ciscoasa#

------

When i took the debug output to check:"debug ldap 255"

------

[13] memberOf: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com
[13] mapped to Group-Policy: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com
[13] mapped to LDAP-Class: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com

------

The ldap map is also called in the correct ldap server

aaa-server 192.168.9.2 protocol ldap
aaa-server 192.168.9.2 (outside0) host 192.168.9.2
ldap-base-dn DC=EVELAB,DC=COM
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=alfred sachin,OU=VPN-Internal,DC=EVELAB,DC=COM
server-type microsoft
ldap-attribute-map LDAP-VPN

-------------

The correct group policy was not being assigned to the connection, the user-id which i used "alfred_dell" is under the correct group but the ldap mapping is not working,

Kindly let me know if I am making any mistake in the configuration.

Rob Ingram · ‎06-07-2020

Hi,

Check the case of your Group, as attribute values are case sensitive. You've defined your group in the LDAP map as VPN-External, however the debug determines the group as vpn-external. Amend your LDAP map.

map-value memberOf CN=VPN-External,OU=VPN-Internal,DC=EVELAB,DC=COM ra-external

[13] memberOf: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com

HTH

Alfredcfc · ‎06-07-2020

Thanks it worked I keep making these stupid mistakes !. Sorry for wasting your time