Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
2
Replies

SSL-Clientless Access via LDAP Authentication

Derek McKelvey
Level 1
Level 1

‎07-06-2011 06:58 PM

What is the best way to configure Group AD (LDAP) Authentication via the ASA?  I can get it to authenticate but if doesnt matter if the user is in the Group or not.  I want to use a specific group.

I have it configured using the memberOf and Group Policy atributes

aaa-server LDAP_Server_Grp protocol ldap
aaa-server LDAP_Server_Grp (Internal) host 10.10.10.1
ldap-base-dn dc=acme,dc=com
ldap-group-base-dn cn=users,dc=acme,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=vpnuser,cn=users,dc=acme,dc=com
server-type microsoft
ldap-attribute-map LDAP_MAP

ldap attribute-map LDAP-MAP
  map-name memberOf Group-Policy
  map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

I saw some posts where you can setup a "tunnel-group" to deny access by default and then apply to the Connection Profile as the default Group Policy then override the settings in the Advanced > Authentication settings on the Connection Profile.

What am I missing??  Thanks!

Labels:
0 Helpful
2 Replies 2

andamani
Cisco Employee
Cisco Employee

‎07-06-2011 08:50 PM

Hi Derek,

When the user is initiates a VPN Connection, the connection will fall on the Tunnel-group or the Connection profile.

Each connection profile will have a group-policy assigned. By default the group-policy is DefaultGroupPolicy.

You can change the same by defining the group-policy explicitly.

When you use LDAP to authenticate, you have an option to bind the group-policy to a user as well. This can be done with the help of LDAP Attribute Map.

This group-policy will take precendence over any setting of the group-policy.

I.e. in your case the group-policy Employee_Access will take precendence over the group-policy defined in the connection profile

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

dmckelvey
Level 1
Level 1
In response to andamani

‎07-07-2011 05:55 AM

Anisha,

Thanks for the repy.  I have two Connection Profiles (Tunnel Groups). Employee and Vendor.   I also have two Group Policies called Employee_Access and Vendor_Access.  I have appied the Employee_Access group policy to the Employee Connection Profile.

I am able to authenticate no problem.  However, I want the Employees to authenticate to a user group called ASA_VPN_Employee.  I have the LDAP Attribute Map configured as follows:

CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

ldap attribute-map LDAP-MAP
  map-name memberOf Group-Policy
  map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access

However, if you remove the user from the ASA_VPN_Employee group you still can authenticate.  The reason is I think is uses the following serach base:

ldap-base-dn dc=acme,dc=com

The user should not be able to authentiate if they are not in the ASA_VPN_Employee group.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents