Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5392
Views
0
Helpful
7
Replies

AnyConnect and nested LDAP memberof

jskrawczyk
Level 1
Level 1

‎10-27-2010 09:22 AM - edited ‎02-21-2020 04:56 PM

Hi

Below you will see that I have configured two memberOf mapings. The second is what I need help with.

The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine.
However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created
this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP.
My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find'
searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather
only the original path where the user group Finance Users truely exist.

I know I can enter the full path to the true OU and this would work but this is defeating the purpose
of simplifying this.

I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the
container VPN_CORP? Am I stuck adding users individually?


Sincerely
Jeff

ldap attribute-map ACME_LDAP_Map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPN_CORP,CN=Users,DC=acme,DC=com CORP-Policy
  map-value memberOf “CN=Finance Users,CN=VPN_CORP,CN=Users,DC=acme,DC=com” CORP-Policy

aaa-server LDAP_SRV_GRP (inside) host 10.8.16.140
server-port 636
ldap-base-dn DC=acme,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password .x.x.x.x.
ldap-login-dn XXXXXXXXXXXX
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map acme_LDAP_Map

Labels:
0 Helpful
7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-27-2010 03:45 PM

Jeff,

This is not really my cup of tea, but here goes I've done some searching.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso24147

I think your best choice if you want to use multiple memberOf attributes it to use DAP.

If you can maybe re-phrase what you're trying to achieve maybe I could dig in a bit more. (It's 1AM here, hard to concentrate ;])

Marcin

0 Helpful

Billy Dodson
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-27-2010 05:34 PM

I know with at least ASA code 8.2(3) using DAP's you can select users based on Active Directory Security group membership rather than OU based membership.  No LDAP attribute tricks needed, you just setup LDAP to look at your domain and then you can see your list of security groups and pick and choose.

0 Helpful

Billy Dodson
Level 1
Level 1
In response to Billy Dodson

‎10-27-2010 05:36 PM

And another thing the option seems to only be available from ASDM.  When I modifiy the DAP and choose security groups I do not see any associated commands show up in the CLI.

0 Helpful

bberry
Level 1
Level 1

‎05-24-2012 07:06 AM

I know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.

Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.

I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?

Brent

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to bberry

‎05-24-2012 07:19 AM

Brent,

The basic limitation is still there -> i.e. the enhancements have not been implmented.

What DAP allows you to do is police based on LDAP attributes - including memberof attributes as retunerd by the LDAP server.

M.

0 Helpful

bberry
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-24-2012 08:25 AM

Marcin,

So if I understand this right I can take multiple LDAP membersof and use or/and to make a policy match. In my case there would be an LDAP memberof for each location with them all "or" together? can I take this one step further and depending on where the match is also modify the network list the user has access to?

Brent

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to bberry

‎05-24-2012 01:35 PM

Brent,

I can't find a server to check this against unfortunately.

My recollection is that even with DAP we would get only first level memberof information - you can check by running "debug dap trace" while connecting.  You can run this by TAC to be completly sure.

You can use any entry (or entries) to apply different policies - including but not limited to access control.

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents