×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Microsoft AD based security group authentication for VPN

Unanswered Question

I have anyconnect setup to authenticate via ldap with a microsoft domain.  I get successful authentication replies on testing user accounts.  I am trying to set up AD security group based authentication so I can set the default tunnel-group policy to NOACCESS and have members of an AD security group sent to another group-policy.

I believe it is setup according to countess documentation(s) on the topic, however I think that 'other' AD groups are causing the user(s) not to get the correct group policy.  See the snippet from a debug ldapp 255:

 

[-2147483640]   memberOf: value = CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xx,DC=xx,
[-2147483640]           mapped to Group-Policy: value = districtemployee
[-2147483640]           mapped to LDAP-Class: value = districtemployee
[-2147483640]   memberOf: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,
[-2147483640]           mapped to Group-Policy: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN= Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]   memberOf: value = CN=PC Technicians,OU=IT,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to Group-Policy: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx


The user authenticates successfully, but I believe it is rolling into the default group-policy because the other non-mapped groups are changing the group-policy name to match the distinguished name of the other groups.  Here is my attribute map:

 

ldap attribute-map LDAP_MemberOf
  map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxxx,DC=xxx,DC=xx,DC=xx" districtemployee

 

Does anyone have this working with multiple groups per user?  I was sure that it was a bug but I have upgraded to the latest train of code on this asa and still the same issue.

Thanks,

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content