Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Microsoft AD based security group authentication for VPN

I have anyconnect setup to authenticate via ldap with a microsoft domain.  I get successful authentication replies on testing user accounts.  I am trying to set up AD security group based authentication so I can set the default tunnel-group policy to NOACCESS and have members of an AD security group sent to another group-policy.

I believe it is setup according to countess documentation(s) on the topic, however I think that 'other' AD groups are causing the user(s) not to get the correct group policy.  See the snippet from a debug ldapp 255:


[-2147483640]   memberOf: value = CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xx,DC=xx,
[-2147483640]           mapped to Group-Policy: value = districtemployee
[-2147483640]           mapped to LDAP-Class: value = districtemployee
[-2147483640]   memberOf: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,
[-2147483640]           mapped to Group-Policy: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN= Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]   memberOf: value = CN=PC Technicians,OU=IT,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to Group-Policy: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx

The user authenticates successfully, but I believe it is rolling into the default group-policy because the other non-mapped groups are changing the group-policy name to match the distinguished name of the other groups.  Here is my attribute map:


ldap attribute-map LDAP_MemberOf
  map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxxx,DC=xxx,DC=xx,DC=xx" districtemployee


Does anyone have this working with multiple groups per user?  I was sure that it was a bug but I have upgraded to the latest train of code on this asa and still the same issue.




CreatePlease to create content
Content for Community-Ad
FusionCharts will render here