cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2614
Views
0
Helpful
7
Replies

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Matus Kozak
Enthusiast
Enthusiast

Hello,

i have configured LDAP authentication on ASA for VPN users. In MS AD I have a group named "VPN_Users" but it's CN.

ldap-base-dn CN=VPN_Users,OU=users,DC=company,DC=local

The path identified in AD shows:

DN:        CN=VPN_Users,OU=users,DC=company,DC=local

I want allow only users which are in mentioned group. But it does not work. It seems that "CN=VPN_Users" is not a accepted like group but it is.

Any idea? or experience? Its IOS bug or what.

thanks.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin

View solution in original post

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin

Hi Jatin,

thanks for reply and help. I tried your config before I posted the question here, but I forgot group-policy "noaccess".

In your solution in GP noaccess is "vpn-simultaneous-logins 1". there hould be "0" i think.

I will test it deeper later today.

matus

Hi Matus,

yes, it should be 0. sorry for the typo.

because we don't want to assign any session to the end user.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Were you able to restrict the access in your last test? did you come across any other issue?

Jatin Katyal
- Do rate helpful posts -

~Jatin

I'm waiting for MS AD administrator to test. Because a lot of  AD groups etc. And I want to test how it will work when users will move to another group in AD tree, how AD path will be changed etc.

Matus K.

Hello Jatin,

so finaly I was able to restrict the access to mentioned group and users which are not in the group are not able to connect. So it looks good. I have no other issues for now. Thanks.

Matus

It would be good if you mark this thread stands resolved so that other's can take benefits out of it.

Jatin Katyal
- Do rate helpful posts -

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers