07-04-2021 08:00 AM
Hi All
I tried the attribute-map recommded below by cisco and it still not working.
The goal is:
Is to force users from group GRP_MES_TEST login in VPN Anyconnect Client in their GROUP even thougt they can see in clien vpn anyconnection others GROUP.
Any clue.
ldap attribute-map VPN_MES
map-name memberOf Group-Policy
map-value memberOf CN=GRP_MES_TEST,OU=Groups,DC=mycommpany,DC=com,DC=au GRP_MES_TEST
aaa-server SRV_LDAP (inside) host 1.1.1.1
server-port 636
ldap-base-dn DC=mycommpany,DC=com,DC=au
ldap-scompe subtree
ldap-naming-attribute sAMAccomuntName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accomunts,DC=mycommpany,DC=com,DC=au
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map VPN_MES
Thank you.
Alex
07-04-2021 08:08 AM
Is the group name syntax correct? It is case sensitive, so the configuration needs to be exact.
Can you turn on debugs "debug ldap 255" test and provide the output for review.
07-05-2021 01:33 PM
Hi Rob
The name I checked with the Microsoft Team the all correct.
Any clue so far?
Thank you
Alex
07-06-2021 08:53 AM
In the "debug ldap 255" output you should see a listing of memberOf mappings that happen when a user authenticates. Watch for multiple group mappings this can cause unexpected results when using that a the criterion for mapping a user to a connection profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide