IPSec Cisco client authentication based on AD group membership

Unanswered Question
Aug 27th, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.

We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership. I'm just stumped with how to kick off the second step to check group membership.

Anyone have a sample config floating around?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Fri, 08/28/2009 - 04:48

Hi John,

I went through your detailed explanation and screen shot attached. Your config still need some changes....like scope and LDAP attribute map.

Here is a sample config that you may refer:::

- Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 1

address-pools none

ldap attribute-map LDAP-MAP

map-name memberOf IETF-Radius-Class

map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389


ldap-scope subtree

ldap-naming-attribute sAMAccountName



server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value



tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

group-policy noaccess attributes

vpn-simultaneous-logins 1

If this doesn't work for you then attach "Sh run" from the ASA in your next reply and debug ldap 255.




JohnMeggers Mon, 08/31/2009 - 07:03

Hi Jatin,

Thanks for your QUICK reply. I was hoping to work on this over the weekend but had other obligations. I prefer to do this stuff outside of regular business hours - so I'll be testing over the next few evenings. I'll post back with results.




This Discussion