cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
0
Helpful
1
Replies

Problem with LDAP authentication for users in a group

baskervi
Level 1
Level 1

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.

I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:

[6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN

[6707]  msNPAllowDialin: value = TRUE

I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.

 

ldap attribute-map AuthUsers
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN

aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
 ldap-base-dn DC=COMPANY,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
 server-type microsoft
 ldap-attribute-map AuthUsers

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 webvpn
  anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
 wins-server none
 dns-server value 10.10.100.102
 vpn-tunnel-protocol ikev1 ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value net.COMPANY.com
 webvpn
  anyconnect profiles value COMPANY_SSL_VPN_client_profile type user

tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
 address-pool COMPANY-SSL-VPN-POOL
 authentication-server-group LDAP
 authorization-server-group LDAP
 authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
 default-group-policy NOACCESS
 authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
 group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
 ikev1 pre-shared-key *****

1 Reply 1

baskervi
Level 1
Level 1

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.