Clientless SSL VPN Group Policy Issue

Unanswered Question
Feb 18th, 2010


I recently enabled aliases and have them associated with the connection profiles I have defined. The problem I'm running into is regardless of what group I select from the drop down I always get dumped into the same group policy. The connection in the logs shows up correctly but the policy is always the same.

This is one of those problems I think I've just looked at too long and now I'm missing the obvoious.

Any help that someone can provide would be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Fri, 02/19/2010 - 09:35

Sounds like you have a group policy assigned to your user either locally on the ASA or via RADIUS attribute 25 or LDAP mapping.  What type of authentication are you using on the tunnel groups you are testing with?

jlizzio Fri, 02/19/2010 - 10:06

I guess that would help right.

Users are being authenticated via ldap. I currently have one map definied and 3 different map values. What seems to be happening is if I have an account in each map value it associates with the first one regardless of the group-alias I select at login.



Todd Pula Fri, 02/19/2010 - 11:08

That is a limitation of the LDAP map feature.  It will only look at the first memberOf attribute value.  DAP doesn't have this limitation but in its current form cannot assign group policies within itself.  In this case, the session would have to be properly segmented via the tunnel-group/group-policy association methods in order to work.

jimsiff Sun, 02/21/2010 - 02:15


So, consider the following LDAP Map:

memberOf "VPN-Employees" > Group Policy "Employees"

memberOf "VPN-Contractors" > Group Policy "Contractors"

memberOf "VPN-Executives" > Group Policy "Executives"

Are you saying that only the first memberOf mapping is ever evaluated?  As in, if a user is a member of VPN-Contractors, they will never match because VPN-Contractors is not the first memberOf attribute in the list?

Or are you saying that only the first matching memberOf attribute is evaluated?  As in, If a user is a member of VPN-Employees and VPN-Executives, only the VPN-Employees memberOf attribute will match?

Thanks for the clarification,


Todd Pula Sun, 02/21/2010 - 04:58

The ldap-attribute-map feature has a limitation with mult-valued AD attributes such as memberOf.  If a user is a memberOf of several AD groups, the ASA will only parse or trigger on the 1st one.  DAP doesn't have this limitation but DAP can't assign authorization attributes in its current form so you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies.  Based on your sample above, only your Employees group would be matched on.

jlizzio Mon, 02/22/2010 - 14:25

Sorry for the delay in my response. I had the flu something fierce.

" you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies"

What's the best way to go about this? Is there a doc or a post you can reference to help?


This Discussion