Solved: Trying to authentication users to an LDAP group - all users authenticated

baskervi · ‎11-05-2010

The ASA successfully authenticates all users whether or not they are in the OKCVPNAccess user's group, and the ASA properly sees the LDAP attribute map. There is only one policy.

[54] memberOf: value = CN=OKC-VPNAccess,OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=local
[54] mapped to IETF-Radius-Class: value = LDAPPolicy

I've gone through a lot of documentation on Cisco's web sites as well as looked at several forums, but I'm coming up with a blank as to what I can try next. I know this will work with RADIUS and I've used RADIUS several times in the past, so that isn't an option. I've been requested to do this with LDAP. Any suggestions? I've included the necessary part of the configuration, and I tried to sanitize it somewhat, so there may be a name mismatch here or there.

Thanks

ldap attribute-map LDAPMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=OKC-VPNAccess,OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=local LDAPPolicy
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.12.34.248
server-port 389
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn xxx\vpn.auth
server-type microsoft
ldap-attribute-map LDAPMAP

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map CRYPTO-MAP 1000 ipsec-isakmp dynamic outside_dyn_map
crypto map CRYPTO-MAP interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify

group-policy CRYPTOGP internal
group-policy CRYPTOGP attributes
banner value Use of this system is ...Please disconnect immediately!
dns-server value 10.12.34.248 10.129.8.136
vpn-tunnel-protocol IPSec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
default-domain value xxx.local

tunnel-group CRYPTO-OKC-VPN type remote-access
tunnel-group CRYPTO-OKC-VPN general-attributes
authentication-server-group LDAP
address-pool IPPOOL
default-group-policy CRYPTOGP
authentication-server-group LDAP
tunnel-group CRYPTOOKC-VPN ipsec-attributes
pre-shared-key *

Yudong Wu · ‎11-05-2010

I think using LDAP map is just for matching a LDAP attribute to a group policy, you can control the user access by group policy.

here is an example.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

After the user get vpn connected, can you use "show vpn-sessiondb" to check which group-policy is used?

By the way, I did not see "LDAPPolicy" was defined in your configuration.

View solution in original post

Yudong Wu · ‎11-05-2010

I think using LDAP map is just for matching a LDAP attribute to a group policy, you can control the user access by group policy.

here is an example.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

After the user get vpn connected, can you use "show vpn-sessiondb" to check which group-policy is used?

By the way, I did not see "LDAPPolicy" was defined in your configuration.

baskervi · ‎11-06-2010

I missed this part. I'm about to try it, but I feel certain it will work. Thank you very much.