Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
3
Replies

Anyconnect ldap authentication problem

Go to solution
Xayyam.Gojayev
Level 1
Level 1

‎11-29-2021 10:14 PM

Hi Engineers,

I have vpn problem. we use Anyconnect vpn in ASA on corp. But there is single problem. I was connected ASA to LDAP and I created single group for vpn users. When does vpn authentication time, ALL domain users passed authentication in anyconnect with AD user. But i want to connect to the anyconnect vpn to only single CN=VPN Users group member.

 

Thanks.

 

ldap attribute-map eManat-Attribute
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN Users,OU=VPN,DC=modenis,DC=local


aaa-server AD protocol ldap
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename
ldap-base-dn DC=xxx,DC=local
ldap-group-base-dn CN=VPN Users,OU=VPN,DC=xxx,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap@xxx.local
ldap-attribute-map Attributename

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
address-pool GP-IT-Infrastructure
authentication-server-group AD
default-group-policy Employees
tunnel-group Employees webvpn-attributes
group-alias Employees enable

 

group-policy Employees internal
group-policy Employees attributes
banner value Dear Employees, Welcome to Corporate internal Network. Have a nice day!!!


dns-server value 172.20.10.21 172.20.10.22
vpn-tunnel-protocol ssl-client
group-lock value Employees
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACCESS-ALL
address-pools value GP-IT-Infrastructure

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-29-2021 11:47 PM

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-29-2021 11:47 PM

@Xayyam.Gojayev You need a NOACCESS group-policy that is applied to users when they are not a member of any of the LDAP groups. Refer to the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

Go to solution
Xayyam.Gojayev
Level 1
Level 1
In response to Rob Ingram

‎12-01-2021 12:53 AM

Hi @Rob Ingram thanks for you this solution. Its work.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-30-2021 07:10 AM

follow

0 Helpful
Customers Also Viewed These Support Documents