LDAP group assignment ASA VPN

Unanswered Question
Jul 2nd, 2008
User Badges:


Is it at all possible to dynamically add users into policy groups via LDAP yet authenticate them against another radius server or alike rather than against the domain. We want to be able to assign the users permissions dynamically, yet still use the SecurEnvoy one time password system rather than their domain passwords.

From what I am reading it seems to suggest its one way or another.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Tue, 07/08/2008 - 10:41
User Badges:
  • Silver, 250 points or more

In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the IETF-Radius-Class attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.

marcantonio Mon, 08/18/2008 - 13:03
User Badges:

Does anyone know if you can use wildcards in these mapping? So, for example, the string Empl* will match the ldap group Employees.



vigleik Mon, 09/28/2009 - 04:01
User Badges:

Did you find a solution to this ? I want to use SecureEnvoy and also Group lock based on OU or group membership in Active Directory.

In ASA 8.2 I see that the LDAP attribute Group Policy is recommended over the radius attribute 25 (class). But I guess we must speak Radius to the SecurEnvoy server. SecurEnvoy can return a list of groups in the radius Class attribute.


This Discussion