cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
355
Views
5
Helpful
3
Replies
Xayyam.Gojayev
Beginner

Anyconnect ldap authentication problem

Hi Engineers,

I have vpn problem. we use Anyconnect vpn in ASA on corp. But there is single problem. I was connected ASA to LDAP and I created single group for vpn users. When does vpn authentication time, ALL domain users passed authentication in anyconnect with AD user. But i want to connect to the anyconnect vpn to only single CN=VPN Users group member.

 

Thanks.

 

ldap attribute-map eManat-Attribute
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN Users,OU=VPN,DC=modenis,DC=local


aaa-server AD protocol ldap
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
address-pool GP-IT-Infrastructure
authentication-server-group AD
default-group-policy Employees
tunnel-group Employees webvpn-attributes
group-alias Employees enable

 

group-policy Employees internal
group-policy Employees attributes
banner value Dear Employees, Welcome to Corporate internal Network. Have a nice day!!!


dns-server value 172.20.10.21 172.20.10.22
vpn-tunnel-protocol ssl-client
group-lock value Employees
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACCESS-ALL
address-pools value GP-IT-Infrastructure

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

View solution in original post

3 REPLIES 3
Rob Ingram
VIP Mentor

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

Hi @Rob Ingram thanks for you this solution. Its work.

MHM Cisco World
Collaborator

follow

Create
Recognize Your Peers
Content for Community-Ad