cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
416
Views
0
Helpful
2
Replies
Beginner

SSL-Clientless Access via LDAP Authentication

What is the best way to configure Group AD (LDAP) Authentication via the ASA?  I can get it to authenticate but if doesnt matter if the user is in the Group or not.  I want to use a specific group.

I have it configured using the memberOf and Group Policy atributes

aaa-server LDAP_Server_Grp protocol ldap
aaa-server LDAP_Server_Grp (Internal) host 10.10.10.1
ldap-base-dn dc=acme,dc=com
ldap-group-base-dn cn=users,dc=acme,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=vpnuser,cn=users,dc=acme,dc=com
server-type microsoft
ldap-attribute-map LDAP_MAP

ldap attribute-map LDAP-MAP
  map-name memberOf Group-Policy
  map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

I saw some posts where you can setup a "tunnel-group" to deny access by default and then apply to the Connection Profile as the default Group Policy then override the settings in the Advanced > Authentication settings on the Connection Profile.

What am I missing??  Thanks!

2 REPLIES 2
Highlighted
Cisco Employee

SSL-Clientless Access via LDAP Authentication

Hi Derek,

When the user is initiates a VPN Connection, the connection will fall on the Tunnel-group or the Connection profile.

Each connection profile will have a group-policy assigned. By default the group-policy is DefaultGroupPolicy.

You can change the same by defining the group-policy explicitly.

When you use LDAP to authenticate, you have an option to bind the group-policy to a user as well. This can be done with the help of LDAP Attribute Map.

This group-policy will take precendence over any setting of the group-policy.

I.e. in your case the group-policy Employee_Access will take precendence over the group-policy defined in the connection profile

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

SSL-Clientless Access via LDAP Authentication

Anisha,

Thanks for the repy.  I have two Connection Profiles (Tunnel Groups). Employee and Vendor.   I also have two Group Policies called Employee_Access and Vendor_Access.  I have appied the Employee_Access group policy to the Employee Connection Profile.

I am able to authenticate no problem.  However, I want the Employees to authenticate to a user group called ASA_VPN_Employee.  I have the LDAP Attribute Map configured as follows:

CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

ldap attribute-map LDAP-MAP
  map-name memberOf Group-Policy
  map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

However, if you remove the user from the ASA_VPN_Employee group you still can authenticate.  The reason is I think is uses the following serach base:

ldap-base-dn dc=acme,dc=com

The user should not be able to authentiate if they are not in the ASA_VPN_Employee group.