cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1317
Views
5
Helpful
3
Replies

Anyconnect ldap authentication problem

Xayyam.Gojayev
Level 1
Level 1

Hi Engineers,

I have vpn problem. we use Anyconnect vpn in ASA on corp. But there is single problem. I was connected ASA to LDAP and I created single group for vpn users. When does vpn authentication time, ALL domain users passed authentication in anyconnect with AD user. But i want to connect to the anyconnect vpn to only single CN=VPN Users group member.

 

Thanks.

 

ldap attribute-map eManat-Attribute
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN Users,OU=VPN,DC=modenis,DC=local


aaa-server AD protocol ldap
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
address-pool GP-IT-Infrastructure
authentication-server-group AD
default-group-policy Employees
tunnel-group Employees webvpn-attributes
group-alias Employees enable

 

group-policy Employees internal
group-policy Employees attributes
banner value Dear Employees, Welcome to Corporate internal Network. Have a nice day!!!


dns-server value 172.20.10.21 172.20.10.22
vpn-tunnel-protocol ssl-client
group-lock value Employees
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACCESS-ALL
address-pools value GP-IT-Infrastructure

1 Accepted Solution

Accepted Solutions

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

View solution in original post

3 Replies 3

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

Hi @Rob Ingram thanks for you this solution. Its work.

follow

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: