I have setup authentication using LDAP and it is working fine.
I am trying to restrict only users that are member of a particular Security group (VPN Users) to be able to VPN in.
I have created an LDAP attribute map (vpnmap) that checks if the user is a member of the required Security Group and if correct assigns a group policy (XXXvpntunnel) to it.
However, if a user is not a member of the group, the ldap attribute map does not assign the above group policy to it, but the user can still VPN in and when I do a check of the group policy being used via sh vpn-sessiondb detail remote, it shows me the same group policy XXXvpntunnel being used.
I have created another group policy called XXXvpntunneldeny with ipsec sessions set to 0, but how do I assign this group profile to users who are not a memberOf VPN Users, so that they cannot VPN in?
I have also tested by adding SamAccountname in the attribute map and value "Administrator" and group-policy "xxxvpntunneldeny" and it stops Administrator from getting in via VPN, but I want to be able to use a wildcard to prevent all users not in the Security Group VPN Users from connecting via VPN.
Any suggestions on the best way to restrict users not part of the VPN Users group in AD from being able to VPN in?
When a user authenticates to the security appliance, the security appliance, in turn, authenticates to the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the admin who updates the user records.
Refer the following url for more information on Active Directory Policies Using LDAP Attribute Maps:
I tried this but for some reason, but it was not checking for this attribute.
I had debug ldap 255 running but could not see any matches to msNPAllowDialin. Maybe I did not configure the attribute map correctly.
I have created a new AD group called VPN Deny and added users that I do not have VPN access to this group.
I then check the memberOf "VPN Deny" attribute and assign them to a group-policy that has vpn-simulataneous logins as 0.
The only problem with this, is all users that need to be prevented from using VPN access needs to added to the VPN Denu User group.
hadbou has sent me a couple of links, the first of which is more detailed on LDAP attribute mapping, which I will go through and try a better solution including mapping to msNPAllowDialin and see whcih works best.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :