VPN Authentication via LDAP with AD Group Membership.

Unanswered Question
Jagdeep Gambhir Thu, 08/09/2007 - 07:35
User Badges:
  • Red, 2250 points or more

Yes that is possible,


cn=users is the container that users are in. dc=ad1, dc=test is basically

the domain. Think of those as ad1.test or cisco.com

The rest are attributes with-in active directory/LDAP. These are things that

the domain administrator should be able to give you.

Basically, let say you have a AD server for cpm.com. If you did a standard AD install that has the typical users group, etc then you would want to have make the following changes

User Directory subtree: cn=users,dc=cpm,dc=com

Group Directory subtree:cn=users,dc=cpm,dc=com

Hostname, the IP of your Domain controller

Admin DN: cn=administrator,cn=users,dc=cpm,dc=com



Please rate if helps

thank you for fast answering.

i don't understand this.

on my ASA i have configured the LDAP server and as "ldap−naming−attribute" i have choosen "sAMAccountName". now, the username is queried.This is ok. But now, i want to query not only the username if existing, rather also a group wheter the user is in this group.

Can i do this with the "ldap attribute map"??

If yes, how can i do this.

Jagdeep Gambhir Tue, 08/14/2007 - 06:21
User Badges:
  • Red, 2250 points or more

Here it is



mapping LDAP memberOf (group) to ASA/PIX cVPN3000-IETF-Radius-Class

Note: The ASA/PIX uses the Cisco LDAP attribute cVPN3000-IETF-Radius-Class to enforce policies from a specific group-policy for Remote Access VPN sessions (IPSec, SVC, WebVPN Clientless). The LDAP attribute is equivalent to Radius Class (25) attribute.

1) On the ASA create a an ldap-attribute-map with the minimum mapping and associate it with the ldap aaa-server.

5520-1(config-aaa-server-host)# show runn ldap

ldap attribute-map Map1

map-name memberOf cVPN3000-IETF-Radius-Class

map-value memberOf CN=AD-Group1,CN=Users,DC=CompanyA,DC=com


map-value memberOf CN=AD-Group2,CN=Users,DC=CompanyA,DC=com



2) What is being enforced with the above mapping?

1) user1 in AD group AD-Group1 will be placed-landed on ASA group-policy ASA-Group1-Allow-Access . In this ASA group then you can set vpn-tunnel-protocol to allow only svc and webvpn types for example.

2) user2 in AD group AD-Group2 will be placed-landed on ASA group-policy ASA-Group2-Deny-Access . In this ASA group then you can set vpn-tunnel-protocol to allow only ipsec types for example. Therefore

svc/webvpn types would be disallowed.

Note: If the AD user is part of multiple AD groups, make sure the AD user's memberof/group of interest is at the top of the list ,since as of 7.2.x , the appliance only enforces the 1st memberOf attribute that is parsed.




The single AD group (memberOf) limitation will be removed in 7.3 where we

are able to make policy decisions based on multiple AD groups.

You mentioned support for multiple AD groups in v7.3. Do you have an idea when v7.3 will be released?

Also, Do you know if support for members of multiple groups will be available on the ACS too? Right know, if a user belongs to multiple groups within the AD, I have an ACS-HR, ACS-Payroll mapped to an ACS HR+Payroll group then I use the combined downloadable ACLs for this access. But when you have 30 servers/Apps or services to control and users can be members of many groups it turns into a group scalability issue very quick.

If the ACS could check all group memberships and aggregate defined ACLs from each group and return to ASA this would a positive step in the right direction (more suitable for an Enterprise solution).

Thanks in advance for you feedback.

fawadnoorkhan Thu, 08/16/2007 - 09:24
User Badges:

Why arent you using Cisco Secure ACS to make life much easier.. I can give you great help in the same scenario as you want but through Cisco Secure ACS.

usprotect Thu, 08/16/2007 - 12:44
User Badges:

We have the same issue but our budget does not allow to spend more ( $ 6000) for this project. IAS is working fine but we must find a solution for it.

dbrisson Sat, 08/25/2007 - 03:24
User Badges:


I am trying to do exactly this with ACS. I can get users to authenticate to Windows, but I want to limit it only to a specific Windows AD group. When I setup a group mapping in ACS, for the AD group "vpnusers", then ACS says "vpnusers,*" and it lets any user in. Why does the * appear? I only want members of the vpnusers group to have access.



Premdeep Banga Sat, 08/25/2007 - 05:03
User Badges:
  • Gold, 750 points or more

If your group mapping is not working, that is a separate issue.

Answer to your question about "vpnusers,*".

It means, all those users who have membership to group "vpnusers" on AD should get mapped to this group, * means, other then "vpnusers" group membership, that user can have membership to any other group.

But above mentioned mapping will only come into effect if users has "vpnusers" group membership.

Which is quite obvious, as generally, every users has membership to Domain Users. And in a practical scenario, a user on AD may be required to have member hip to many group.

We cannot remove "*", and is by design on ACS.

In your case, check the order of mapping, as i t is very important, and works similar to access list, top to bottom.


"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."

Group Mapping Order:




dbrisson Sat, 08/25/2007 - 05:41
User Badges:

Thanks for the explanation of the "*" Prem. I guess my problem is with the Group mapping. It doesn't seem to matter if the Active Directory user is a member of the AD group "vpnusers" or not, the ACS still lets them in. It's as if the ACS isn't even checking for the AD group vpnusers.



fawadnoorkhan Sat, 08/25/2007 - 08:02
User Badges:

Are you using external group policy or local for VPN configuration.

Secondly, about the mapping, you can always set DENY to the DEFAULT group. Because the order of the mapping will always ALLOW the REST of AD groups to be mappes to DEFAULT group of ACS. So set the consfigurations to deny anything to default group.

Premdeep Banga Sat, 08/25/2007 - 11:15
User Badges:
  • Gold, 750 points or more

Hi Dan,

I cannot deny that, it might be something is not working right with ACS group mapping. Because recently I saw one instance in which no matter what group mapping you do, it always mapped user to Group 0 [Default Group]

I am still looking into it. To be specific, I experienced this on v4.1.1 with patch 5

If I find something I'll let you know.



Premdeep Banga Tue, 08/28/2007 - 15:51
User Badges:
  • Gold, 750 points or more

Here's an update, if we have Group Mapping configured on ACS, but its not working,

Check the group type of the Group on AD, if its Domain Local or something else, try changing it to Universal group type. Then try.

Also, just wanted to update the 4.1.4 is out, so go grab it.




This Discussion