Problem if a user belongs from different AD Groups for Cisco ASA RA VPN using LDAP ( Authentication Authorization )
We are facing a issue when implementing LDAP authetication authorization for our remote access VPN for different Groups in Active Directory.
For example: we have 3 different groups in AD like ITstaff, accounting, admin and if we want to connect for ITstaff group using a username XXX, the ldap authetication and authorization was successful and vpn tunnel is established. And if The username XXX is memberOf all the groups like ITstaff. accounting, admin then the problem rise to have a VPN tunnel using the same username for different AD groups.
Suppose if I try to connect for accounting groups using same username XXX, authentication and authorization shows successful and shows the following log messages:
AAA user authorization Successful : server = a.b.c.d : user = XXX
AAA group policy for user XXX is being set to ITstaff ----> although it should accounting
AAA retrieved user specific group policy (ITstaff) for user = XXX
AAA retrieved default group policy (accounting) for user = XX
AAA transaction status ACCEPT : user = XXX
DAP: User XXX, Addr e.f.g.h, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
Group = accounting, Username = XXX, IP = e.f.g.h, Tunnel Rejected: User (XXX) not member of group (accounting), group-lock check failed.
SSL session with server outside:.. terminated.
So it shows that the tunnel is rejected because the user XXX is not a memberOf group (accounting) which is not true.
Re: Problem if a user belongs from different AD Groups for Cisco
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...