cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2092
Views
0
Helpful
7
Replies
Enthusiast

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Hello,

i have configured LDAP authentication on ASA for VPN users. In MS AD I have a group named "VPN_Users" but it's CN.

ldap-base-dn CN=VPN_Users,OU=users,DC=company,DC=local

The path identified in AD shows:

DN:        CN=VPN_Users,OU=users,DC=company,DC=local

I want allow only users which are in mentioned group. But it does not work. It seems that "CN=VPN_Users" is not a accepted like group but it is.

Any idea? or experience? Its IOS bug or what.

thanks.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin Katyal

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin Katyal

View solution in original post

Highlighted
Enthusiast

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Hi Jatin,

thanks for reply and help. I tried your config before I posted the question here, but I forgot group-policy "noaccess".

In your solution in GP noaccess is "vpn-simultaneous-logins 1". there hould be "0" i think.

I will test it deeper later today.

matus

Highlighted
Cisco Employee

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Hi Matus,

yes, it should be 0. sorry for the typo.

because we don't want to assign any session to the end user.

Jatin Katyal

- Do rate helpful posts -

~Jatin Katyal
Highlighted
Cisco Employee

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Were you able to restrict the access in your last test? did you come across any other issue?

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
Highlighted
Enthusiast

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

I'm waiting for MS AD administrator to test. Because a lot of  AD groups etc. And I want to test how it will work when users will move to another group in AD tree, how AD path will be changed etc.

Matus K.

Highlighted
Enthusiast

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Hello Jatin,

so finaly I was able to restrict the access to mentioned group and users which are not in the group are not able to connect. So it looks good. I have no other issues for now. Thanks.

Matus

Highlighted
Cisco Employee

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

It would be good if you mark this thread stands resolved so that other's can take benefits out of it.

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here