AD groups / LDAP for remote access user authorization

Unanswered Question
Feb 2nd, 2009
User Badges:

I'm trying to configure an ASA5540 to use LDAP for remote access user authorization. I am using certificates for authentication, and using the userPrincipalName field from the certificate for authorization purposes. I am trying to set up a LDAP attirbute map which will only allow a user to connect to VPN if he/she is a member of a specific group. I haven't been able to get this working. The problem I have run into is that even if a user isn't a member of the group I have defined in the LDAP attribute map, the user will be authorized because the user account exists in AD. Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/02/2009 - 17:28
User Badges:
  • Cisco Employee,

Can you post your ldap configuration and your ldap attribute map configuraiton? You need to map the memberOf value to the Radius-IETF-Class which will map to the desired group policy, when there is no match they should fall within the DefaultGroupPolicy (not the exact name) that then will not allow them to connect. please post your config and I will tell you what you are missing.

jgolson Tue, 02/03/2009 - 05:59
User Badges:

I'm actually not trying to use the LDAP map to put users into a group policy, I am using group urls and the users know which url to use. All I want the LDAP map to do is verify that the user is a member of the group they are trying to VPN with, and deny them access if they aren't. What I've noticed is that even if a user is not a member of the correct group, they will pass authorization.

jgolson Tue, 02/03/2009 - 07:28
User Badges:

Authentication is done by requiring client certificates and using OCSP responders to check for certificate revocation.

Ivan Martinon Tue, 02/03/2009 - 07:50
User Badges:
  • Cisco Employee,

Ok, So basically you only have authorization required on the tunnel group, but you have not told the device what would be a non authorized state right?

jgolson Tue, 02/03/2009 - 07:55
User Badges:

Correct. I'm not really sure how to tell the ASA what it should be looking for. It seems like the LDAP attribute map options for IETF-Radius-Class are only for matching AD groups to VPN groups. I've been using Tunneling-Protocols, which does ensure the user connects with the proper method, but doesn't have a true/false option. Any suggestions?

Ivan Martinon Tue, 02/03/2009 - 08:03
User Badges:
  • Cisco Employee,

When using the ldap map, you can map the memberOf for example to either a tunnel protocol, which is allowed and one which is not, or you can map that to a specific group policy which will have or not a permission to connect, I have made this several times and this is the most viable solution for me in your kind of setup.

jgolson Tue, 02/03/2009 - 08:11
User Badges:

I am using the memberOf attribute and tying it to the Tunneling-Protocols Cisco Name. Up until now, it seems like the ASA would accept the user even if they weren't a member of the AD group I am pointing it to. In my testing today though, if you aren't a member of the group it will take you to a "Goodbye" page. What gets returned to the ASA when it uses the LDAP attribute map?

jgolson Tue, 02/03/2009 - 09:20
User Badges:

Thanks for your help. After looking through those, I think I am going to have to change some AD settings to get this to work as I envisioned.

fabiossilva Tue, 04/28/2009 - 09:36
User Badges:

Hello jgolson,

I'm with the same problem.. i want to allow only the users that are in the VPN group. But.. the ASA seems to allow access for all users not just for that are in the VPN group.

I read the links that imartino sends.

Have you solved this problem? How?



Ivan Martinon Tue, 04/28/2009 - 09:43
User Badges:
  • Cisco Employee,

Can you post the config that you have created to restrict the user? what is your policy to restrict the user are you using group policy tunnel protocol? are you using dial in access?

fabiossilva Tue, 04/28/2009 - 10:19
User Badges:

Hi Imartino...

Here is the config of the ASA about the aaa, ldap, and VPN... I don't know what is missing.

ldap attribute-map CISCOMAP

map-name memberOf IETF-Radius-Class

map-value memberOf CN=VPN,DC=domain,DC=local VPNPOLICY

Where the VPN is the group that my Users must be to authenticate and have VPN access to the network, If the user isn't in the VPN group of AD the user could not connect.

aaa-server LDAPSERVER protocol ldap

aaa-server LDAPSERVER (inside) host LDAPHOST

ldap-base-dn DC=domain,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password 123456

ldap-login-dn CN=asavpn,CN=Users,DC=domain,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

Where LDAPHOST is the server that have the AD. and the asavpn is the user that have right to authenticate in the AD.

Here is the tunnel-group conf

tunnel-group VPN general-attributes

address-pool VPN-POOL

authentication-server-group LDAPSERVER

default-group-policy VPN

group-policy VPN internal

group-policy VPN attributes

dns-server value

vpn-tunnel-protocol IPSec

Here is some part of the debug of ldap auth process.


[4288] displayName: value = Fabio Silva

[4288] uSNCreated: value = 15114

[4288] memberOf: value = CN=VPN,DC=domain,DC=local

[4288] mapped to IETF-Radius-Class: value = VPNPOLICY


But.. if i remove the user from the VPN group of AD the authentication still success.

What is not good?

Best Regards.

Ivan Martinon Tue, 04/28/2009 - 10:25
User Badges:
  • Cisco Employee,

That is because the user is assigned to the default group-policy that is configured on the tunnel group it is connecting to. You need to make this default group-policy to somehow avoid the user to connect if they are not mapped to the correct group-policy, what I use to do this is setting the tunnel-protocol to something different than IPSec

LBS-BZ-HI Fri, 12/04/2009 - 05:22
User Badges:

i know thats an old post - but you can try to set the Simultaneous Logins of the DefaultGroup = 0. so nobody who becames the Default Group will be able to login.




This Discussion