07-06-2011 06:58 PM
What is the best way to configure Group AD (LDAP) Authentication via the ASA? I can get it to authenticate but if doesnt matter if the user is in the Group or not. I want to use a specific group.
I have it configured using the memberOf and Group Policy atributes
aaa-server LDAP_Server_Grp protocol ldap
aaa-server LDAP_Server_Grp (Internal) host 10.10.10.1
ldap-base-dn dc=acme,dc=com
ldap-group-base-dn cn=users,dc=acme,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=vpnuser,cn=users,dc=acme,dc=com
server-type microsoft
ldap-attribute-map LDAP_MAP
ldap attribute-map LDAP-MAP
map-name memberOf Group-Policy
map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access
I saw some posts where you can setup a "tunnel-group" to deny access by default and then apply to the Connection Profile as the default Group Policy then override the settings in the Advanced > Authentication settings on the Connection Profile.
What am I missing?? Thanks!
07-06-2011 08:50 PM
Hi Derek,
When the user is initiates a VPN Connection, the connection will fall on the Tunnel-group or the Connection profile.
Each connection profile will have a group-policy assigned. By default the group-policy is DefaultGroupPolicy.
You can change the same by defining the group-policy explicitly.
When you use LDAP to authenticate, you have an option to bind the group-policy to a user as well. This can be done with the help of LDAP Attribute Map.
This group-policy will take precendence over any setting of the group-policy.
I.e. in your case the group-policy Employee_Access will take precendence over the group-policy defined in the connection profile
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
07-07-2011 05:55 AM
Anisha,
Thanks for the repy. I have two Connection Profiles (Tunnel Groups). Employee and Vendor. I also have two Group Policies called Employee_Access and Vendor_Access. I have appied the Employee_Access group policy to the Employee Connection Profile.
I am able to authenticate no problem. However, I want the Employees to authenticate to a user group called ASA_VPN_Employee. I have the LDAP Attribute Map configured as follows:
CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access
ldap attribute-map LDAP-MAP
map-name memberOf Group-Policy
map-value memberOf CN=ASA_VPN_Employee,CN-Users,DC=acme,DC=com Employee_Access
However, if you remove the user from the ASA_VPN_Employee group you still can authenticate. The reason is I think is uses the following serach base:
ldap-base-dn dc=acme,dc=com
The user should not be able to authentiate if they are not in the ASA_VPN_Employee group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide