10-27-2010 09:22 AM - edited 02-21-2020 04:56 PM
Hi
Below you will see that I have configured two memberOf mapings. The second is what I need help with.
The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine.
However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created
this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP.
My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find'
searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather
only the original path where the user group Finance Users truely exist.
I know I can enter the full path to the true OU and this would work but this is defeating the purpose
of simplifying this.
I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the
container VPN_CORP? Am I stuck adding users individually?
Sincerely
Jeff
ldap attribute-map ACME_LDAP_Map
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN_CORP,CN=Users,DC=acme,DC=com CORP-Policy
map-value memberOf “CN=Finance Users,CN=VPN_CORP,CN=Users,DC=acme,DC=com” CORP-Policy
aaa-server LDAP_SRV_GRP (inside) host 10.8.16.140
server-port 636
ldap-base-dn DC=acme,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password .x.x.x.x.
ldap-login-dn XXXXXXXXXXXX
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map acme_LDAP_Map
10-27-2010 03:45 PM
Jeff,
This is not really my cup of tea, but here goes I've done some searching.
I think your best choice if you want to use multiple memberOf attributes it to use DAP.
If you can maybe re-phrase what you're trying to achieve maybe I could dig in a bit more. (It's 1AM here, hard to concentrate ;])
Marcin
10-27-2010 05:34 PM
I know with at least ASA code 8.2(3) using DAP's you can select users based on Active Directory Security group membership rather than OU based membership. No LDAP attribute tricks needed, you just setup LDAP to look at your domain and then you can see your list of security groups and pick and choose.
10-27-2010 05:36 PM
And another thing the option seems to only be available from ASDM. When I modifiy the DAP and choose security groups I do not see any associated commands show up in the CLI.
05-24-2012 07:06 AM
I know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.
Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.
I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?
Brent
05-24-2012 07:19 AM
Brent,
The basic limitation is still there -> i.e. the enhancements have not been implmented.
What DAP allows you to do is police based on LDAP attributes - including memberof attributes as retunerd by the LDAP server.
M.
05-24-2012 08:25 AM
Marcin,
So if I understand this right I can take multiple LDAP membersof and use or/and to make a policy match. In my case there would be an LDAP memberof for each location with them all "or" together? can I take this one step further and depending on where the match is also modify the network list the user has access to?
Brent
05-24-2012 01:35 PM
Brent,
I can't find a server to check this against unfortunately.
My recollection is that even with DAP we would get only first level memberof information - you can check by running "debug dap trace" while connecting. You can run this by TAC to be completly sure.
You can use any entry (or entries) to apply different policies - including but not limited to access control.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide