10-03-2012 08:29 AM
Salutations everyone.
I'm in the throes of configuring my 5520 to supply different group policies based on LDAP group membership. I'm finding that no matter what I do only the default group is applied. I'm sure it'll be a simple fix - but I just can't see it. I've pasted the relevant parts of the configuration below.
Any help would be very much appreciated.
Regards,
Rob
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_IT,OU=VPN Groups,OU=Remote Accounts,OU=**********,DC=****,DC=org" NoAccess
map-value memberOf "CN=VPN_Users,OU=VPN Groups,OU=Remote Accounts,OU=****,DC=****,DC=org" Users
aaa-server LDAP protocol ldap
aaa-server LDAP (Inisde) host 192.168.xxx.x
server-port 636
ldap-base-dn DC=*****,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=*********,OU=Service Accounts,DC=****,DC=org
ldap-over-ssl enable
server-type microsoft
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
webvpn
svc ask none default svc
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value vpnpool168
webvpn
svc ask enable
group-policy Users internal
group-policy Users attributes
wins-server value 192.168.155.4 172.16.155.4
dns-server value 192.168.155.4 172.16.155.4
vpn-simultaneous-logins 200
vpn-tunnel-protocol svc
default-domain value clientvpn.uk.naafi.org
split-dns value naafi.org naafi.co.uk
webvpn
svc modules value vpngina
svc ask none default svc
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnpool168
authentication-server-group LDAP LOCAL
default-group-policy NoAccess
Solved! Go to Solution.
10-03-2012 01:58 PM
I don't see an LDAP attribute map assigned to your AAA LDAP configuration.
Within your "aaa-server LDAP" configuration section, you should have:
ldap-attribute-map
10-03-2012 08:32 AM
I should also add that;
ciscoasa# test aaa authorization LDAP host *********
Username: robsmith
INFO: Attempting Authorization test to IP address <*******> (timeout: 12 seconds)
INFO: Authorization Successful
So I'm pretty sure authentication and authorisation is taking place;
ciscoasa# test aaa authentication LDAP host ***********
Username: robsmith
Password: **********
INFO: Attempting Authentication test to IP address <***********> (timeout: 12 seconds)
INFO: Authentication Successful
10-03-2012 08:36 AM
Oh, and;
by running 'debug ldap 255' and attempting a login I can see that my memberOf value is matched
[292] memberOf: value = CN=VPN_Users,OU=VPN Groups,OU=Remote Accounts,OU=*****,DC=*****,DC=org
10-03-2012 01:58 PM
I don't see an LDAP attribute map assigned to your AAA LDAP configuration.
Within your "aaa-server LDAP" configuration section, you should have:
ldap-attribute-map
10-04-2012 01:57 AM
How on earth did I miss that?
Many thanks, Jennifer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide