Clientless SSL authentication with LDAP

Esteban Talavera · ‎12-26-2011

Hello

I'm not clear about 2 things with SSL VPN and Active directory

1. Atributes Values & Names

I Configured SSL Clientless VPN. It is working fine with LOCAL authentication on ASA 8.4.

I created a LDAP(active directory) server. I tested and passed the connection with the AD server.

I use in Attribute Name

MemberOF (LDAP Name) and Group-Policy(replaces IETF-Radius-Class) for Cisco name

But I'm not sure about the LDAP MAP. I don't know which value is the correct for "Mapping of attribute Value"

CN=XXXXXXX,,DC=XXXXX,DC=COM for LDAP Attribute

for cisco value I use the group policy name.

I specify in the connection profile's authentication method, the AD server I created and tested.

2.- Selecting LDAP Authentication method

When accessing the ssl vpn portal I tried to authenticate with active directory user (which is different to LOCAL user) and I receive

"3 Dec 26 2011 12:21:08 113015 AAA user authentication Rejected : reason = Invalid password : local database : user = XXXXXX"

The authentication is still local even I selected the LDAP Server.

Thanks

Marvin Rhoads · ‎12-26-2011

Your problem sounds very similar to one addressed in the recent Ask The Expert thread. Please have a look at the first issue posted in that thread here. Hope this helps.

Esteban Talavera · ‎12-26-2011

Thanks!

I tried and it is working.

For the problem N° 2, It was a line in the tunnel-group with local server.This line does not appears in ASDM

I will test with the vpn groups, but I think that it will work.