I am configuring an ASA to authenticate with a ldap server for ipsec vpn access. My customer has 3 networks that are to be accessed by remote users. However they want to be able to say that one user can get to 2 of the networks and not the 3rd. So basically they want control over what network behind the firewall each user can access. This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication. Basically a ldap group on the ldap server that will have the users name in the group in order for access. I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network. Here is the problem I am having now.
The ldap server has been created and seems to be working fine. I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server. When I run the authentication test from the ADSM or command line I get a good authentication successful message. So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name. Below is a paste of the debug. The second part is when I did a successful test from the ASDM or CLI and it worked great. The first part is when I attempted from the vpn client. It all looks the same from the search criteria. What am I missing here or does anyone more knowledgeable see anything that I am doing wrong. Can this be done this way or should I try radius. The customer was just adament about using ldap.
 Session Start
 New request Session, context 0xd5713fe0, reqType = 1
 Fiber started
 Creating LDAP context with uri=ldaps://18.104.22.168:636
 Connect to LDAP server: ldaps://22.214.171.124:636, status = Successful
 supportedLDAPVersion: value = 2
 supportedLDAPVersion: value = 3
 No Login DN configured for server 126.96.36.199
 Binding as administrator
 Performing Simple authentication for to 188.8.131.52
 LDAP Search:
Base DN = [ou=employees,o=msues]
Filter = [uid=vpntest]
Scope = [SUBTREE]
 User DN = [uid=vpntest,ou=employees,o=msues]
 Talking to iPlanet server 184.108.40.206
 No results returned for iPlanet global password policy
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...