05-31-2013 12:22 PM
Hello,
i have configured LDAP authentication on ASA for VPN users. In MS AD I have a group named "VPN_Users" but it's CN.
ldap-base-dn CN=VPN_Users,OU=users,DC=company,DC=local
The path identified in AD shows:
DN: CN=VPN_Users,OU=users,DC=company,DC=local
I want allow only users which are in mentioned group. But it does not work. It seems that "CN=VPN_Users" is not a accepted like group but it is.
Any idea? or experience? Its IOS bug or what.
thanks.
Solved! Go to Solution.
06-02-2013 01:08 AM
HI Matus,
This is what you need.
Configuration for restricting access to a particular windows group on AD
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>
!
! ---Group-Policy-Name should be group-policy that you configured on ASA---
!
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn DC=company,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
!
!
group-policy
group-policy
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
!
!
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 1
address-pools none
!
!
tunnel-group
tunnel-group
authentication-server-group LDAP-AD
default-group-policy noaccess
Just in case, it doesn't work for you. Get the following information:
Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group
1.] Show run ldap
2.] Show run aaa-server
3.] show run tunnel-group
4.] Show run group-policy
OR
You can provide the SH RUN from the ASA.
Jatin Katyal
- Do rate helpful posts
06-02-2013 01:08 AM
HI Matus,
This is what you need.
Configuration for restricting access to a particular windows group on AD
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>
!
! ---Group-Policy-Name should be group-policy that you configured on ASA---
!
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn DC=company,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
!
!
group-policy
group-policy
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
!
!
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 1
address-pools none
!
!
tunnel-group
tunnel-group
authentication-server-group LDAP-AD
default-group-policy noaccess
Just in case, it doesn't work for you. Get the following information:
Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group
1.] Show run ldap
2.] Show run aaa-server
3.] show run tunnel-group
4.] Show run group-policy
OR
You can provide the SH RUN from the ASA.
Jatin Katyal
- Do rate helpful posts
06-03-2013 05:59 AM
Hi Jatin,
thanks for reply and help. I tried your config before I posted the question here, but I forgot group-policy "noaccess".
In your solution in GP noaccess is "vpn-simultaneous-logins 1". there hould be "0" i think.
I will test it deeper later today.
matus
06-03-2013 06:07 AM
Hi Matus,
yes, it should be 0. sorry for the typo.
because we don't want to assign any session to the end user.
Jatin Katyal
- Do rate helpful posts -
06-04-2013 02:39 AM
Were you able to restrict the access in your last test? did you come across any other issue?
Jatin Katyal
- Do rate helpful posts -
06-04-2013 04:37 AM
I'm waiting for MS AD administrator to test. Because a lot of AD groups etc. And I want to test how it will work when users will move to another group in AD tree, how AD path will be changed etc.
Matus K.
06-05-2013 07:03 AM
Hello Jatin,
so finaly I was able to restrict the access to mentioned group and users which are not in the group are not able to connect. So it looks good. I have no other issues for now. Thanks.
Matus
06-05-2013 07:07 AM
It would be good if you mark this thread stands resolved so that other's can take benefits out of it.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide