Solved: How to add LDAP with group settings

kraghupati · ‎06-28-2013

I have created an OU=Company, under that OU anouther OU=VPNACCESS, under that group called VPN.

I want users only under this particualr group (VPN) to authenticate. However this is not happening. All users under OU=Company are able to authenticate.

My configurations are as below:

aaa-server TESTLDAP (inside) host X.X.X.X

ldap-base-dn OU=Company,DC=Company,DC=AE

ldap-group-base-dn CN=vpn,OU=vpnaccess,OU=Company,DC=Company,DC=AE

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=binduser,OU=vpnaccess,OU=Company,DC=Company,DC=AE

server-type microsoft

rkumar5 · ‎07-01-2013

Hi Karishma,

You can get this to work however in a little different way.

You can have the users from the VPN access to connect to a particular group.

In order to do this you need to use the Ldap attribute map

Here is the link that you can follow

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

HTH!!

Regards

Raj Kumar

Please rate all helpful posts

View solution in original post

Amjad Abdullah · ‎07-01-2013

This is not possible unfortunatley. You can not use LDAP to specify user groups.

You can use it only to specify the root DN. under the root DN that you specify all users are allowed authentication.

You need to use the integration with AD rather than LDAP settings if you wan to achieve classification based on user group.

What is the product that you use? ISE or ACS?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

kraghupati · ‎07-01-2013

I have configured Anyconnect VPN on ASA5510 and want to give access to users only under a certain group to authenticate from AD server. Is there anyway I can fix this?

Amjad Abdullah · ‎07-01-2013

Not with LDAP.

But you can try to move the thread to the firewall forums and ask there. They'll possibly provide better answers from ASA point of view.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

rkumar5 · ‎07-01-2013

Hi Karishma,

You can get this to work however in a little different way.

You can have the users from the VPN access to connect to a particular group.

In order to do this you need to use the Ldap attribute map

Here is the link that you can follow

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

HTH!!

Regards

Raj Kumar

Please rate all helpful posts

kraghupati · ‎07-01-2013

Thanks. This is the document i was looking for.

Amjad Abdullah · ‎07-03-2013

Nice solution Raj. +5.

That is working with the firewall. But unfortunately othe products (like wireless controller for example) do not have this luxury of mapping .

Rating useful replies is more useful than saying "Thank you"

Jatin Katyal · ‎07-01-2013

Karishma,

Raj provided you the right link. However, I helped many customers with this requirement.

Here is a thread that you can go through:

https://supportforums.cisco.com/thread/217888

NOTE: You have to use distinguish name to restrict access of users under ldap-attribute map, OU cannot be used.

In case you face any issues, send me the output of following

show run ldap

debug ldap 255

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin