group-lock and ldap authentication

Unanswered Question
Jul 16th, 2009

I have setup my users to authenticate via ldap for RA VPN on my ASA 5520. The users get logged in without any issues and get the correct information but I found the users are able to login under another group name. Originally I was using the tunnel-lock option when they were local users but now that appears to not be working anymore. I've setup the mapping to authenticate the users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value. Is their something I'm missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Thu, 07/16/2009 - 14:12

It sounds like you are on the right track. You can either configure the tunnel group lock under the respective group policy or utilize an LDAP attribute map to associate the lock. For example, you could look at the Department associated with the user and use the corresponding value to lock them to the corresponding tunnel group.

ldap attribute-map Tunnel-Lock

map-name department Tunnel-Group-Lock

esossamon Mon, 08/03/2009 - 06:57

I tried the option to configure the tunnel group lock under the respective group policy but it does not seem to work...any ideas?

Actions

This Discussion