AnyConnect and nested LDAP memberof

Unanswered Question
Oct 27th, 2010
User Badges:


Below you will see that I have configured two memberOf mapings. The second is what I need help with.

The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine.
However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created
this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP.
My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find'
searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather
only the original path where the user group Finance Users truely exist.

I know I can enter the full path to the true OU and this would work but this is defeating the purpose
of simplifying this.

I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the
container VPN_CORP? Am I stuck adding users individually?


ldap attribute-map ACME_LDAP_Map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPN_CORP,CN=Users,DC=acme,DC=com CORP-Policy
  map-value memberOf “CN=Finance Users,CN=VPN_CORP,CN=Users,DC=acme,DC=com” CORP-Policy

aaa-server LDAP_SRV_GRP (inside) host
server-port 636
ldap-base-dn DC=acme,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password .x.x.x.x.
ldap-login-dn XXXXXXXXXXXX
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map acme_LDAP_Map

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Wed, 10/27/2010 - 15:45
User Badges:
  • Cisco Employee,


This is not really my cup of tea, but here goes I've done some searching.

I think your best choice if you want to use multiple memberOf attributes it to use DAP.

If you can maybe re-phrase what you're trying to achieve maybe I could dig in a bit more. (It's 1AM here, hard to concentrate ;])


Billy Dodson Wed, 10/27/2010 - 17:34
User Badges:

I know with at least ASA code 8.2(3) using DAP's you can select users based on Active Directory Security group membership rather than OU based membership.  No LDAP attribute tricks needed, you just setup LDAP to look at your domain and then you can see your list of security groups and pick and choose.

Billy Dodson Wed, 10/27/2010 - 17:36
User Badges:

And another thing the option seems to only be available from ASDM.  When I modifiy the DAP and choose security groups I do not see any associated commands show up in the CLI.

bberry Thu, 05/24/2012 - 07:06
User Badges:

I know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.

Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.

I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?


Marcin Latosiewicz Thu, 05/24/2012 - 07:19
User Badges:
  • Cisco Employee,


The basic limitation is still there -> i.e. the enhancements have not been implmented.

What DAP allows you to do is police based on LDAP attributes - including memberof attributes as retunerd by the LDAP server.


bberry Thu, 05/24/2012 - 08:25
User Badges:


So if I understand this right I can take multiple LDAP membersof and use or/and to make a policy match. In my case there would be an LDAP memberof for each location with them all "or" together? can I take this one step further and depending on where the match is also modify the network list the user has access to?


Marcin Latosiewicz Thu, 05/24/2012 - 13:35
User Badges:
  • Cisco Employee,


I can't find a server to check this against unfortunately.

My recollection is that even with DAP we would get only first level memberof information - you can check by running "debug dap trace" while connecting.  You can run this by TAC to be completly sure.

You can use any entry (or entries) to apply different policies - including but not limited to access control.



This Discussion