Showing results for 
Search instead for 
Did you mean: 

Cisco ASA LDAP authentication with openldap and groups


I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server.  My OpenLDAP version:

@(#) $OpenLDAP: slapd 2.4.9 (Sep  9 2009 11:22:34) $

I have an LDAP group that I want to use to restrict access for the VPN connections.

ldap-server:~> ldapsearch -x cn=vpn member
# extended LDIF
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=vpn
# requesting: member

# vpn, Group,
dn: cn=vpn,ou=Group,dc=example,dc=com
member: uid=vpnuser,ou=people,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Authenticate with a user's LDAP username and password is working fine.

I've hit Google pretty hard but can't seem to find a simple answer.  It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.

Any help is much appreciated.  Thanks!

6 Replies 6

Yudong Wu
Rising star
Rising star

Here is a good example for you.

"debug ldap 255" is very helpful to troubleshoot it.

This page is inaccessible to me.

PDF attached

The solution proposed by Carl Davis worked for me pretty well! I had LDAP authentication working, but I wanted to allow only users in the "vpn" group to login. I set up two LDAP entries, one for authentication and a second one for authorization.



Greetings, not to bring up a post from the WAAAYY back, but this post kept cropping up when I was trying to do the same thing.  I seem to have been able to get it to work.  I wanted to respond to this in case others find the post and it can help them.  This is for ASA version 8.2(2)12

Essentially, what I did was add a secondary Authorization group that only authorizes the user.  I believe these are the relevant sections:

[This authenticates the user against the Mac OS LDAP server]

aaa-server xServe protocol ldap

aaa-server xServe (inside) host IRxServeIntel

ldap-base-dn cn=users,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute uid

server-type openldap

[This authorizes the user against a group, in my case VPN]

aaa-server xServeGroup protocol ldap

aaa-server xServeGroup (inside) host IRxServeIntel

ldap-base-dn cn=vpn,cn=groups,dc=server1,dc=yourserver,dc=com

ldap-scope subtree

ldap-naming-attribute memberUid

server-type openldap

Further down for the tunnel group I have this:
tunnel-group SSL-VPN general-attributes
address-pool SSL-VPN
authentication-server-group xServe
authorization-server-group xServeGroup
default-group-policy SSL-VPN
username-from-certificate use-entire-name
I hope that makes sense to what I did and if it does that it helps others that might be in the same situation.

I'll have to check this out at some point.  I ended up using a RADIUS server.

aaa-server FreeRadius protocol radius
aaa-server FreeRadius (inside) host
key *****
authentication-port 1812

tunnel-group VPN general-attributes
address-pool VPN_POOL
authentication-server-group FreeRadius
default-group-policy VPN

Radius configuration:


server = "ldap.your.domain"

basedn = "dc=example,dc=com"

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}(cn=vpn)))"
groupmembership_attribute = radiusGroupName


#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set


# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

Auth-Type LDAP {

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: