cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
385
Views
5
Helpful
3
Replies
Alex Ribas
Beginner

LDAP Attribute Maps Configuration Cisco ASA

Hi All

I tried the attribute-map recommded below by cisco and it still not working.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc7

 

The goal is:

Is to force users from group GRP_MES_TEST login in VPN Anyconnect Client in their GROUP  even thougt they can see in clien vpn anyconnection others GROUP.

 

Any clue.

 

ldap attribute-map VPN_MES
map-name memberOf Group-Policy
map-value memberOf CN=GRP_MES_TEST,OU=Groups,DC=mycommpany,DC=com,DC=au GRP_MES_TEST

 

aaa-server SRV_LDAP (inside) host 1.1.1.1
server-port 636
ldap-base-dn DC=mycommpany,DC=com,DC=au
ldap-scompe subtree
ldap-naming-attribute sAMAccomuntName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accomunts,DC=mycommpany,DC=com,DC=au
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map VPN_MES

 

Thank you.

Alex

3 REPLIES 3
Rob Ingram
VIP Mentor

@Alex Ribas 

Is the group name syntax correct? It is case sensitive, so the configuration needs to be exact.

Can you turn on debugs "debug ldap 255" test and provide the output for review.

Hi Rob

The name I checked with the Microsoft Team the all correct.

Any clue so far?

Thank you

Alex

 

 

Marvin Rhoads
VIP Community Legend

In the "debug ldap 255" output you should see a listing of memberOf mappings that happen when a user authenticates. Watch for multiple group mappings  this can cause unexpected results when using that a the criterion for mapping a user to a connection profile.