LDAP Attribute Maps Configuration Cisco ASA

Alex Ribas · ‎07-04-2021

Hi All

I tried the attribute-map recommded below by cisco and it still not working.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc7

The goal is:

Is to force users from group GRP_MES_TEST login in VPN Anyconnect Client in their GROUP even thougt they can see in clien vpn anyconnection others GROUP.

Any clue.

ldap attribute-map VPN_MES
map-name memberOf Group-Policy
map-value memberOf CN=GRP_MES_TEST,OU=Groups,DC=mycommpany,DC=com,DC=au GRP_MES_TEST

aaa-server SRV_LDAP (inside) host 1.1.1.1
server-port 636
ldap-base-dn DC=mycommpany,DC=com,DC=au
ldap-scompe subtree
ldap-naming-attribute sAMAccomuntName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accomunts,DC=mycommpany,DC=com,DC=au
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map VPN_MES

Thank you.

Alex

Rob Ingram · ‎07-04-2021

@Alex Ribas

Is the group name syntax correct? It is case sensitive, so the configuration needs to be exact.

Can you turn on debugs "debug ldap 255" test and provide the output for review.

Alex Ribas · ‎07-05-2021

Hi Rob

The name I checked with the Microsoft Team the all correct.

Any clue so far?

Thank you

Alex

Marvin Rhoads · ‎07-06-2021

In the "debug ldap 255" output you should see a listing of memberOf mappings that happen when a user authenticates. Watch for multiple group mappings this can cause unexpected results when using that a the criterion for mapping a user to a connection profile.