cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
1
Helpful
13
Replies

FMC RA VPN LDAP Attribute mapping

Hi to all, I configured RA VPN on FMC to 2 different access groups first is VPN for Users and the second one is for Administrators, I configured LDAP attribute mapping from manuals, but it is not working, I have two groups in my Active Directory VPN for Users and VPN for Administrators but it seems that FMC not checking group membership at all, I can connect to both access groups even if I am not member any groups. 

111.png

 

222.png

 Disturgished Name is directly copied from Active Directory 

333.png

 

2 Accepted Solutions

Accepted Solutions

@sherali mamatkarimov you only need one connection profile all users connect to, it's the LDAP mapping that will assign the users to the different group policies.

View solution in original post

Friend cisco make it complex let me explain

the anyconnect can connect to ftd using one connection profile (tunnel-group in asa) and then using ldap map to map esch user to it group-policy 

OR

Using multi connection profile (using group url alias) and hence each connection profile have it defualt group policy' no need ldap mapping here.

Note:- Second case need gorup-lock 

MHM

View solution in original post

13 Replies 13

Share below

Debug ldap 255

Show running 

MHM

 

 

Make defualt group policy NoAccess instead of using VPN-for-admin 

default-group-policy VPN_for_Admininstrators 

 And double check the ldap memberOf for each user 

Note:-one user can not be in two different group

MHM

how to make default group policy from Web?

@sherali mamatkarimov you are connecting to the tunnel-group/connection profile "VPN_for_Users". That has the default group policy of "VPN_for_Users" which allows VPN connections (vpn-simultaneous-logins 3)

tunnel-group VPN_for_Users general-attributes
 address-pool Remote_VPN_Pool
 authentication-server-group AD-mda_new
 default-group-policy VPN_for_Users

You need to set the NoAccess policy (via the FMC) which does not permit any vpn user connections (vpn-simultaneous-logins 0) as the default group policy, then when a user connects that is not a member of either group they will be denied access.

So the configuration should look like this:-

tunnel-group VPN_for_Users general-attributes
 default-group-policy NoAccess

 

I undestand but how to set default group policy by FMC web?

@sherali mamatkarimov edit the Connection Profile the users connect to and specify the group policy as "NoAccess".

Example:

RobIngram_0-1726050831493.png

 

But I have 3 Connection Profiles how I can choose one of them as default? 444.png

 

@sherali mamatkarimov you only need one connection profile all users connect to, it's the LDAP mapping that will assign the users to the different group policies.

Friend cisco make it complex let me explain

the anyconnect can connect to ftd using one connection profile (tunnel-group in asa) and then using ldap map to map esch user to it group-policy 

OR

Using multi connection profile (using group url alias) and hence each connection profile have it defualt group policy' no need ldap mapping here.

Note:- Second case need gorup-lock 

MHM

VPN-remote access > connection profile(select profile) >advanced >group-policy >edit>select NoAccess

MHM

@Rob Ingram @MHM Cisco World I deleted other connection profiles except no access now it seems working thanks