Hi,
I've recently configured VPN with LDAP to our Windows Server 2012. Within the LDAP Attribute Map which is assigned to the server group I have specified attribute name msNPAllowDialin and this works fine, but I was wondering if I can just add another attribute "memberOf" to the same map and specify there specific user group which should have VPN access. Will user be authenticated if both attributes are true I mean user has "Allow access" enabled on NAP and belongs to the security group "VPN-Users"?
I've run some tests already and configured the following on my ASA 5510, but for some reason it doesn't work the way I want:) I would like to make sure that only users who belongs to "CN=MyBusiness VPN Users,OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp" group and have NAP set to "Allow access" can authenticate. I removed user from MyBusiness VPN Users group but he was still able to authenticate.
Any idea how I can I fix it?
Thank you for your help!:)
===snip===
ldap attribute-map LDAP2CISCO_MAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=MyBusiness VPN Users,OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp" 6
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin "FALSE" NOACCESS
map-value msNPAllowDialin "TRUE" ALLOWACCESS
===snip===
aaa-server agldap_ciscovpn (vlan-server) host 10.30.100.10
server-port 389
ldap-base-dn ou=Users,ou=MyBusiness,ou=BB Subsidiaries,dc=xxx,dc=corp
ldap-group-base-dn OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=XX ldap account,ou=Service Accounts,ou=XX Users,dc=xxx,dc=corp
server-type microsoft
ldap-attribute-map LDAP2CISCO_MAP
===snip===