Group Policy assigned by LDAP Authorization to seperate Forest

Unanswered Question
Apr 18th, 2008

Using ASA 5520 IOS 7.2(4), I need to support VPN access to our network during a migration from our current AD Forest to a seperate AD Forest (yes Forset, not just domain within the same Forest). Authentication is by SSL cert, it is the LDAP Authorization that I'm having trouble with. How can I check for userPrincipleName via LDAP to 2 seperate LDAP servers in 2 different AD Foresets? The idea is that if the userPrincipalName is not present from one AAA Server Group, it goes to the next.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Thu, 04/24/2008 - 10:49

If the user is a member of 'vpnusers' group, then they would authenticate to an ACS server (using RSA). One issue we have here is we do authentication before authorization. The users would authenticate to the ACS server and then LDAPauthorization be next. If the user is in the 'vpnusers' group, then they would be put in the 'vpnusers' group-policy.

jaestes Fri, 04/25/2008 - 02:57

Thanks for the post. Unfortunately I can't do that (use the ACS for authentication). I'm forced by regulatory policy to use a central Corporate OCSP responder to authenticate and validate the SSL cert passed by the client (user). Due to the fact that the info provided by the client is the same both pre and post migration, there is no unique attribute to determine which Group Policy / Tunnel Group to use.

That is why I tied listing both domain controllers as servers under the same AAA Server Group hoping that if the LDAP query failed on the first it would send another query to the second. It appears if it receives a response from the first one in the list, it stops and does not try to query the other servers listed.

Actions

This Discussion