08-01-2012 04:24 AM
Hi,
I try to map LDAP Group to ASA Group policy following documentation:
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
Does anybody have experience with this feature on newer ASA versions?
Regards,
Axel
08-02-2012 01:43 PM
Can you share your running configuration with us?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-06-2012 02:44 AM
04-12-2013 12:37 AM
Hi,
I observer the same behavior on 8.2.5.
Did you find any solution?
Thanks & regards,
Pavel
06-28-2013 08:35 AM
Spent a few hours poking around before I finally found the answer. Hopefully this will help someone out in the future. The resolution is that you must explicitly define a "vpn-simultaneous-logins" attribute or whatever other attributes are in the default GPnoAccess policy otherwise it will take the attributes from the noAccess policy. See my config that is now working:
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
group-policy VPN_Users internal
group-policy VPN_Users attributes
vpn-simultaneous-logins 25
vpn-tunnel-protocol ikev1 ssl-client
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide