Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2730
Views
5
Helpful
1
Replies

Problem if a user belongs from different AD Groups for Cisco ASA RA VPN using LDAP ( Authentication Authorization )

humayunkr
Level 1
Level 1

‎06-01-2012 03:25 AM - edited ‎03-10-2019 07:09 PM

We are facing a issue when implementing LDAP authetication authorization for our remote access VPN for different Groups in Active Directory.

For example: we have 3 different groups in AD like ITstaff, accounting, admin and if we want to connect for ITstaff group using a username XXX, the ldap authetication and authorization was successful and vpn tunnel is established. And if The username XXX is memberOf all the groups like ITstaff. accounting, admin then the problem rise to have a VPN tunnel using the same username for different AD groups.

Suppose if I try to connect for accounting groups using same username XXX, authentication and authorization shows successful and shows the following log messages:

AAA user authorization Successful : server =  a.b.c.d : user = XXX

AAA group policy for user XXX is being set to ITstaff ----> although it should accounting

AAA retrieved user specific group policy (ITstaff) for user = XXX

AAA retrieved default group policy (accounting) for user = XX

AAA transaction status ACCEPT : user = XXX

DAP: User XXX, Addr e.f.g.h, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

Group = accounting, Username = XXX, IP = e.f.g.h, Tunnel Rejected: User (XXX) not member of group (accounting), group-lock check failed.

SSL session with server outside:.. terminated.

So it shows that the tunnel is rejected because the user XXX is not a memberOf group (accounting) which is not true.

Please help me.

Thanks,

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎06-04-2012 06:19 AM

Hi

I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).

Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead

Hth

Herbert

Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Customers Also Viewed These Support Documents