Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.

The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.

 

Can some one please advise?

CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

 

5 REPLIES
Cisco Employee

Yeah It does work!  All you

Yeah It does work!  All you need to have the DN with spaces in quotes like this:

ldap attribute-map LDAP-MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL" <Group Policy Name>

This will make the DN as a single entity and will not truncate when it read spaces.

In case you want to verify the same, run debug ldap 255 and look into it.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
New Member

I have tried it with the

I have tried it with the quotes as suggested and it still does not work.  I wonder if I have something else wrong, though I have checked and rechecked the DN strings and configuration repeatedly.

 

Cisco Employee

We can troubleshoot this

We can troubleshoot this issue. Please provide me the following outputs:

show run aaa-server

show run ldap

Turn on "debug ldap 255" and reproduce the issue. Paste the output here.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
New Member

I having the same problem. I

I having the same problem. I have a windows 2003 using RADIUS, but when using LDAP doesn't work. I got the error: Authentication Server not responding: AAA server has been removed

Cisco Employee

Please provide the same

Please provide the same information:

show run aaa-server

show run ldap

Turn on "debug ldap 255" and reproduce the issue. Paste the output here.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
800
Views
0
Helpful
5
Replies
CreatePlease to create content