Unanswered Question
Mar 27th, 2009

Hi all,

I need to do authetication of user by Microsoft LDAP (Active Directory). However I am not able to identify what meaning of NAMIG ATTRIBUTE(S).

Someone know how can I find this attribute to works with MS-LDAP?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
leandro.candido Fri, 03/27/2009 - 18:14

Thanks for information!

I am using LDAP for http, https and vpn access authetication..


srue Fri, 03/27/2009 - 18:41

i wrote this document up a while back for a client. maybe it has something useful to you:

LDAP VPN Authentication


Group Policy Assignment on the ASA

The following links were useful in creating the configuration for LDAP authentication and group policy assignment:

There are a few caveats when configuring this on the ASA. The LDAP account used to bind and authenticate users is based on the display name in Active Directory, not the username, and should contain no spaces. This account must either be in the built-in Account Operators group, or assigned the change password permissions in Active Directory, if using the password management feature, otherwise, a regular domain account may be used. To see what exactly should be used in the aaa-server LDAP configuration, run the following command from a DOS prompt on the Windows AD server:

dsquery user -samid username

The output of this command should be used in the aaa-server section for the LDAP server.

Spaces are allowed in the LDAP attribute mappings, however, as long as quotations are used around the entire LDAP path. The 'memberOf' attribute is the AD LDAP attribute used to map to the specific group-policy on the ASA appliance.

Password-management, the ability for the remote VPN user to change their Active Directory password relies on the use of LDAP over SSL, as seen in the example configuration that follows at the end of this document. Once users are assigned their group polices, any configuration under that group-policy is applied to them as usual. This can include VPN filters (ACL's), a different DHCP scope, different DNS servers, etc. Most problems associated with this configuration can be traced back to the LDAP syntax used.

An example VPN configuration follows, using LDAP as the backend authentication server to assign group-policies:

crypto dynamic-map REMOTEVPN 5 set transform-set ets3des

crypto map emap 65535 ipsec-isakmp dynamic REMOTEVPN

ldap attribute-map CISCOMAP

map-name memberOf IETF-Radius-Class

map-value memberOf "CN=VPNGROUP1,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP1

map-value memberOf "CN=VPNGROUP2,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP2

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host x.x.x.x

ldap-base-dn DC=domain,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=asaadmin,CN=Users,DC=domain,DC=com

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map CISCOMAP

ip local pool vpnpool mask

access-list acl1_name permit ip x.x.x.x z.z.z.z

access-list acl2_name permit ip y.y.y.y z.z.z.z

tunnel-group vpngroup type ipsec-ra

tunnel-group vpngroup general-attributes

address-pool vpnpool

authentication-server-group LDAP


tunnel-group vpngroup ipsec-attributes

pre-shared-key *

group-policy VPNGROUP1 internal

group-policy VPNGROUP1 attributes

dns-server value x.x.x.x

vpn-tunnel-protocol IPSec

default-domain value

vpn-filter value acl1_name

group-policy VPNGROUP2 internal

group-policy VPNGROUP2 attributes

dns-server value x.x.x.x

vpn-tunnel-protocol IPSec

default-domain value

vpn_filter value acl2_name


This Discussion