VPN Group lock Novell

craig bache · ‎08-24-2012

Hi All

I am trying to find out if it is possible to group lock VPN users so only permitting access to certain users, I have found this to be true for AD as per below but I am wanting to do this with Novell.

"to allow users in “VPN Users” group in AD to connect through VPN but in order to deny VPN access to any other user in AD we need to make sure that “deny access” option is checked under the “Dial in” tab for the user in AD. By doing this, AD will return msNPAllowDialin value as False which will be matched on ASA under LDAP attribute"

Anyone have a workin configuration or guide for this.

Thanks Craig

Tarik Admani · ‎08-25-2012

Craig,

What you could do is start by issuing a debug ldap 255 as you authenticate a test user. Then see if there are any unique attributes that are being sent in the ldap response which you can use. If you do have one then try to build you ldap attribute map so that it includes this value then set your group-lock condition.

I tried to look for any cisco documented attributes but I am curious to see if you can create one on the fly and see if it works. Keep in mind that it is case sensitive.

Thanks,

Tarik Admani
*Please rate helpful posts*

craig bache · ‎08-26-2012

Hi Tarik

Thanks for the response, I will try and get a attribute map for the user group but I think I would have to create multiple

permit statements for the user groups I want to allow and deny and I can not see what the limitation is for this.

Thanks Craig