Hi, I'm trying to authenticate my VPN users to MS AD, which is working perfectly - the can connect and use their AD logins. However subsequently, I would like to assign different group policies based their security group assignment in AD, which I am trying to achieve with the ldap attribute-map memberOf or Tunnel-Group_Lock.
My understanding is that Tunnel-Group-Lock will assign people to only a specific group policy based on their AD group, which is more suited to my purpose than memberOf.
That said, the first issue is that it doesn't appear to work - users assigned to either Employees_All or Developers_All, can log in using either group authentication creds. After enabling debug ldap 255, I can see that the users are being matched to the apropriate group policy, but it appears to be disregarded.
The second issue is that users that are not assigned to either group can also log in using either group authentication creds. I understand that this is because if there are no matches, it falls back to DfltGrpPolicy. So I changed the vpn-simultaneous-logins on the default policy to 0, which locked everyone out, so I changed vpn-simultaneous-logins on the employees and developers group policies to 10, leavign the default at 0. Everyone was still locked out, until I changed the default back to 3.
I've also looked at the msNPAllowDialin, but don't want to have to go through all the non-vpn users and disable VPN access in AD.
Any suggestions would be greatly appreciated. I think I have to be missing something simple.
ldap attribute-map LDAP_map
map-name Tunnel-Group-Lock IETF-Radius-Class
map-value Tunnel-Group-Lock CN=Employees_All,OU=Groups,DC=company,DC=com employees_vpn
map-value Tunnel-Group-Lock CN=Developers_All,OU=Groups,DC=company,DC=com developers_vpn
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.1.1
aaa-server LDAP (inside) host 10.1.1.2
group-policy employees_vpn internal
group-policy employees_vpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-network-list value employees_vpn_split_tunnel_list
tunnel-group employees_vpn type remote-access
tunnel-group employees_vpn general-attributes
tunnel-group employees_vpn ipsec-attributes
group-policy developers_vpn internal
group-policy developers_vpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-network-list value developers_vpn_split_tunnel_list
tunnel-group developers_vpn type remote-access
tunnel-group developers_vpn general-attributes
tunnel-group developers_vpn ipsec-attributes
A very simple example of mapping is using just a random AD field like 'Department' and populating that with the group-policy name
ldap attribute-map LDAP_map<br/> map-name Department IETF-Radius-Class <<<-- this is now changed to read 'Group-Policy' in 8.2<br/><br/><br/>I see that you have :<br/>
ldap attribute-map LDAP_map<br/> map-name Tunnel-Group-Lock IETF-Radius-Class (tunnel-group-lock is not an Ldap attribute name.<br/><br/>ciscoasa#1(config-ldap-attribute-map)# map-name ?<br/><br/>ldap mode commands/options:<br/> WORD <strong>Enter Customer Atribute Name.</strong><br/><br/><br/>ciscoasa#1(config-ldap-attribute-map)# map-name department ?<br/><br/>ldap mode commands/options:<br/><strong>cisco-attribute-names:</strong><br/> Access-Hours<br/> Allow-Network-Extension-Mode<br/> Auth-Service-Type<br/> Authenticated-User-Idle-Timeout<br/> Authorization-Required<br/> Authorization-Type<br/> Banner1<br/> Banner2<br/> Cisco-AV-Pair<br/> Cisco-IP-Phone-Bypass<br/> Cisco-LEAP-Bypass<br/> Client-Intercept-DHCP-Configure-Msg<br/> Client-Type-Version-Limiting<br/> Confidence-Interval<br/> DHCP-Network-Scope<br/> DN-Field<br/> Firewall-ACL-In<br/> Firewall-ACL-Out<br/> Group-Policy <<<<--- this replaced Ietf-radius-class<br/>
You should have a look at this document and specifically the section..
"Advantages of Using DAP Rather Than Group Policies"
•Flexible VPN policy selection criteria based on AAA or endpoint access attributes.
•Tighter integration with Active Directory attributes (for example, memberOf).
•Aggregation of multiple DAP policies."