ASA 8.4 LDAP Group to ASA Group Policy mapping

Axel Maertens · ‎08-01-2012

Hi,

I try to map LDAP Group to ASA Group policy following documentation:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?

ASA Log:

AAA retrieved user specific group policy (correct Policy) for user = XXX

AAA retrieved default group policy (GPnoAccess) for user = XXX

Does anybody have experience with this feature on newer ASA versions?

Regards,

Axel

Tarik Admani · ‎08-02-2012

Can you share your running configuration with us?

Thanks,

Tarik Admani
*Please rate helpful posts*

Axel Maertens · ‎08-06-2012

Hi Tarik

I attach config sniplet as well as some debug and logging excerpts.

Thanks and Regards,

Axel

Pavel Pokorny · ‎04-12-2013

Hi,

I observer the same behavior on 8.2.5.

Did you find any solution?

Thanks & regards,

Pavel

jordanotto · ‎06-28-2013

Spent a few hours poking around before I finally found the answer. Hopefully this will help someone out in the future. The resolution is that you must explicitly define a "vpn-simultaneous-logins" attribute or whatever other attributes are in the default GPnoAccess policy otherwise it will take the attributes from the noAccess policy. See my config that is now working:

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 ssl-client

group-policy VPN_Users internal

group-policy VPN_Users attributes

vpn-simultaneous-logins 25

vpn-tunnel-protocol ikev1 ssl-client