Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2854
Views
0
Helpful
7
Replies

ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

Go to solution
Matus Kozak
Level 4
Level 4

‎05-31-2013 12:22 PM

Hello,

i have configured LDAP authentication on ASA for VPN users. In MS AD I have a group named "VPN_Users" but it's CN.

ldap-base-dn CN=VPN_Users,OU=users,DC=company,DC=local

The path identified in AD shows:

DN:        CN=VPN_Users,OU=users,DC=company,DC=local

I want allow only users which are in mentioned group. But it does not work. It seems that "CN=VPN_Users" is not a accepted like group but it is.

Any idea? or experience? Its IOS bug or what.

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-02-2013 01:08 AM

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-02-2013 01:08 AM

HI Matus,

This is what you need.

Configuration for restricting access to a particular windows group on AD

ldap attribute-map LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN_Users,OU=users,DC=company,DC=local <Group Policy Name>

!

! ---Group-Policy-Name should be group-policy that you configured on ASA---

!

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn DC=company,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

!

!

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

!

!

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

!

!

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Just in case, it doesn't work for you. Get the following information:

Turn on the "debug ldap 255" on the ASA and Connect with a user account who belongs to VPN-Users group

1.] Show run ldap

2.] Show run aaa-server

3.] show run tunnel-group

4.] Show run group-policy

OR

You can provide the SH RUN from the ASA.

Jatin Katyal
- Do rate helpful posts

~Jatin
0 Helpful

Go to solution
Matus Kozak
Level 4
Level 4
In response to Jatin Katyal

‎06-03-2013 05:59 AM

Hi Jatin,

thanks for reply and help. I tried your config before I posted the question here, but I forgot group-policy "noaccess".

In your solution in GP noaccess is "vpn-simultaneous-logins 1". there hould be "0" i think.

I will test it deeper later today.

matus

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Matus Kozak

‎06-03-2013 06:07 AM

Hi Matus,

yes, it should be 0. sorry for the typo.

because we don't want to assign any session to the end user.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎06-04-2013 02:39 AM

Were you able to restrict the access in your last test? did you come across any other issue?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Matus Kozak
Level 4
Level 4
In response to Jatin Katyal

‎06-04-2013 04:37 AM

I'm waiting for MS AD administrator to test. Because a lot of  AD groups etc. And I want to test how it will work when users will move to another group in AD tree, how AD path will be changed etc.

Matus K.

0 Helpful

Go to solution
Matus Kozak
Level 4
Level 4
In response to Jatin Katyal

‎06-05-2013 07:03 AM

Hello Jatin,

so finaly I was able to restrict the access to mentioned group and users which are not in the group are not able to connect. So it looks good. I have no other issues for now. Thanks.

Matus

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Matus Kozak

‎06-05-2013 07:07 AM

It would be good if you mark this thread stands resolved so that other's can take benefits out of it.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents