Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem if a user belongs from different AD Groups for Cisco ASA RA VPN using LDAP ( Authentication Authorization )

We are facing a issue when implementing LDAP authetication authorization for our remote access VPN for different Groups in Active Directory.

For example: we have 3 different groups in AD like ITstaff, accounting, admin and if we want to connect for ITstaff group using a username XXX, the ldap authetication and authorization was successful and vpn tunnel is established. And if The username XXX is memberOf all the groups like ITstaff. accounting, admin then the problem rise to have a VPN tunnel using the same username for different AD groups.

Suppose if I try to connect for accounting groups using same username XXX, authentication and authorization shows successful and shows the following log messages:

AAA user authorization Successful : server =  a.b.c.d : user = XXX

AAA group policy for user XXX is being set to ITstaff ----> although it should accounting

AAA retrieved user specific group policy (ITstaff) for user = XXX

AAA retrieved default group policy (accounting) for user = XX

AAA transaction status ACCEPT : user = XXX

DAP: User XXX, Addr e.f.g.h, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

Group = accounting, Username = XXX, IP = e.f.g.h, Tunnel Rejected: User (XXX) not member of group (accounting), group-lock check failed.

SSL session with server outside:.. terminated.

So it shows that the tunnel is rejected because the user XXX is not a memberOf group (accounting) which is not true.

Please help me.


Cisco Employee

Re: Problem if a user belongs from different AD Groups for Cisco


I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).

Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead



Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.