FTD LDAP Attribute Map

mumbles202 · ‎04-09-2020

Rolling out a 2110 on a FMC, both running 6.5 and followed this document:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

And while can assign the FlexConfig policy to the unit and deploy it, on subsequent deploys I have to unassign it, deploy and then re-assign and deploy. If i don't I get an error:

FMC >> no strong-encryption-disable
FMC >> vpn-addr-assign local reuse-delay 0
FMC >> crypto isakmp nat-traversal
FMC >> no aaa-server MYDC host 172.16.25.101
FMC >> aaa-server MYDC host 172.16.25.101
FMC >> ldap-attribute-map MYMAP
FTD01-Mgmt >> error : ERROR: mapping-table-name MYMAP does not exist
Config Error -- ldap-attribute-map MYMAP

I didn't pull the details troubleshoot file or grab the logs from messages which I can if need be. I recall in the past having to do use lda-attribute-map(no p in ldap) instead of ldap-attribute-map in the configuration. Or I just need to remove the attribute-map and re-add it each time it's deployed (include a no ldap attribute-map <LDAP_Map_for_VPN_Access>) that comes before the attribute-map name?

Francesco Molino · ‎04-09-2020

Hi

Can you share the config of your flexconfig please?
Also can you connect to your ftd in cli, type system support diag and do a sh run to see if ldap attribute-map is existing.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mumbles202 · ‎04-09-2020

Thanks for the reply. Ill have to grab the flex configuration, but all it includes are the attribute map and the aaa server as listed in the link. Each is set per the page with respect to how often as well as whether to prepend/append etc.

Also, if I go to advanced troubleshooting and do a show run I do see the settings correctly. I can go to the appliance directly though and pull it as well.

mumbles202 · ‎04-10-2020

Here are my FlexConfig Objects:

LDAPattributeMAP (Deployment set to Once and Prepend)

ldap attribute-map MYMAP
map-name memberOf Group-Policy
map-value memberOf "ou=vpn_users,ou=security groups,dc=mydomain,dc=local" vpn_user
map-value memberOf "ou=limited_access,ou=security groups,dc=mydomain,dc=local" limited_access

AAAserverLDAPmapping (Deployment set to Everytime and Append)

aaa-server MYDC1 host 172.16.25.101
ldap-attribute-map MYMAP
aaa-server MYDC2 host 172.16.25.102
ldap-attribute-map MYMAP

Francesco Molino · ‎04-10-2020

Can you do the following way please:
- Remove these 2 Flexconfig policies.
- Add the Flexconfig ldap-attribute which is set for once.
- After deployment, remove this flexconfig and add the other (aaaldapmapping).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mumbles202 · ‎04-10-2020

I can try this, but i noticed that when i tried to remove the ldap attribute map and just push the aaa configuration I would get an error that the attribute map didn't exist. If i remove the FlexConfig policy from the unit, then deploy and then re-add the policy it works. Or if I modify the attribute-map to include a new server that works as well.

Francesco Molino · ‎04-10-2020

The goal is to deploy the policy setup with deployment once, remove it from your flexconfig and afterwards deploy the policy with deployment method (everytime).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mumbles202 · ‎04-10-2020

Ok. So remove the FlexConfig policy and deploy. Then add the LDAPattributeMap back to the policy and deploy it. Then remove that from the policy and and the aaa server policy and deploy that and leave the aaa server policy configuration there for all deployments.