Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
4
Replies

Attribute Mapping not taking affect

Go to solution
SirRobSmith
Level 1
Level 1

‎10-03-2012 08:29 AM

Salutations everyone.

I'm in the throes of configuring my 5520 to supply different group policies based on LDAP group membership. I'm finding that no matter what I do only the default group is applied. I'm sure it'll be a simple fix - but I just can't see it. I've pasted the relevant parts of the configuration below.

Any help would be very much appreciated.

Regards,

Rob

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN_IT,OU=VPN Groups,OU=Remote Accounts,OU=**********,DC=****,DC=org" NoAccess

  map-value memberOf "CN=VPN_Users,OU=VPN Groups,OU=Remote Accounts,OU=****,DC=****,DC=org" Users

aaa-server LDAP protocol ldap

aaa-server LDAP (Inisde) host 192.168.xxx.x

server-port 636

ldap-base-dn DC=*****,DC=org

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=*********,OU=Service Accounts,DC=****,DC=org

ldap-over-ssl enable

server-type microsoft

group-policy NoAccess internal

group-policy NoAccess attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol svc

webvpn

  svc ask none default svc

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

address-pools value vpnpool168

webvpn

  svc ask enable

group-policy Users internal

group-policy Users attributes

wins-server value 192.168.155.4 172.16.155.4

dns-server value 192.168.155.4 172.16.155.4

vpn-simultaneous-logins 200

vpn-tunnel-protocol svc

default-domain value clientvpn.uk.naafi.org

split-dns value naafi.org naafi.co.uk

webvpn

  svc modules value vpngina

  svc ask none default svc

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool vpnpool168

authentication-server-group LDAP LOCAL

default-group-policy NoAccess

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to SirRobSmith

‎10-03-2012 01:58 PM

I don't see an LDAP attribute map assigned to your AAA LDAP configuration.

Within your "aaa-server LDAP" configuration section, you should have:

ldap-attribute-map

View solution in original post

0 Helpful
4 Replies 4

Go to solution
SirRobSmith
Level 1
Level 1

‎10-03-2012 08:32 AM

I should also add that;

ciscoasa# test aaa authorization LDAP host *********

Username: robsmith

INFO: Attempting Authorization test to IP address <*******> (timeout: 12 seconds)

INFO: Authorization Successful

So I'm pretty sure authentication and authorisation is taking place;

ciscoasa# test aaa authentication LDAP host ***********

Username: robsmith

Password: **********

INFO: Attempting Authentication test to IP address <***********> (timeout: 12 seconds)

INFO: Authentication Successful

0 Helpful

Go to solution
SirRobSmith
Level 1
Level 1
In response to SirRobSmith

‎10-03-2012 08:36 AM

Oh, and;

by running 'debug ldap 255' and attempting a login I can see that my memberOf value is matched

[292]   memberOf: value = CN=VPN_Users,OU=VPN Groups,OU=Remote Accounts,OU=*****,DC=*****,DC=org

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to SirRobSmith

‎10-03-2012 01:58 PM

I don't see an LDAP attribute map assigned to your AAA LDAP configuration.

Within your "aaa-server LDAP" configuration section, you should have:

ldap-attribute-map

0 Helpful

Go to solution
SirRobSmith
Level 1
Level 1
In response to Jennifer Halim

‎10-04-2012 01:57 AM

How on earth did I miss that?

Many thanks, Jennifer.

0 Helpful
Customers Also Viewed These Support Documents