There are a few caveats when configuring this on the ASA. The LDAP account used to bind and authenticate users is based on the display name in Active Directory, not the username, and should contain no spaces. This account must either be in the built-in Account Operators group, or assigned the change password permissions in Active Directory, if using the password management feature, otherwise, a regular domain account may be used. To see what exactly should be used in the aaa-server LDAP configuration, run the following command from a DOS prompt on the Windows AD server:
dsquery user -samid username
The output of this command should be used in the aaa-server section for the LDAP server.
Spaces are allowed in the LDAP attribute mappings, however, as long as quotations are used around the entire LDAP path. The 'memberOf' attribute is the AD LDAP attribute used to map to the specific group-policy on the ASA appliance.
Password-management, the ability for the remote VPN user to change their Active Directory password relies on the use of LDAP over SSL, as seen in the example configuration that follows at the end of this document. Once users are assigned their group polices, any configuration under that group-policy is applied to them as usual. This can include VPN filters (ACL's), a different DHCP scope, different DNS servers, etc. Most problems associated with this configuration can be traced back to the LDAP syntax used.
An example VPN configuration follows, using LDAP as the backend authentication server to assign group-policies:
crypto dynamic-map REMOTEVPN 5 set transform-set ets3des
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :