ASA 8.0(4) VPN Authorization

Unanswered Question
Sep 10th, 2008
User Badges:

I have configured client to gateway VPN's to authenticate with AD using Kerberos.

What I am trying to do is get LDAP authorization to only allow members of a certain OU to log in. Is this possible by setting the DN to look at one folder and only allow one level on the server configuration on the ASA?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Premdeep Banga Wed, 09/10/2008 - 09:27
User Badges:
  • Gold, 750 points or more

Try something like this,

aaa-server LDAP-AUTHO protocol ldap

aaa-server LDAP-AUTHO (inside) host

ldap-base-dn DC=TEST,DC=COM

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=admin,CN=Users,DC=TEST,DC=COM

server-type microsoft

ldap-attribute-map AD-map

ldap attribute-map AD-map

map-name memberOf Tunnel-Group-Lock

map-value memberOf CN=CiscoVPN,CN=Users,DC=TEST,DC=COM

tunnel-group general-attributes

authorization-server-group LDAP-AUTHO



Please rate if it helps!

newenglandsteve Wed, 09/10/2008 - 09:34
User Badges:

Thanks! The piece I am missing is the attribute map. I will try and let you know.


This Discussion