Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ldap atribute map

I ve read so far like 100 different Discussion, about how to restring vpn users  authentication to some active directory. If not part of the Active Directory Group call "vpn-group", cant connect.


       I cannot find any guide that allow me to log users only if is on group. Some article say I have to use IETF-Radius-Class, other Group_Policy, on Ldap attribute map. Actually Im confuse cuz some articles like this:  but on other article say use Group_policy instead. I wish someone give me someone who has really done this. Give me some pdf guide or something alike. 

: ( I have one week try to do this and just does not work. It like is not seen atributte map, Cuz all users are been authenticated. I have asa version 9.1.2.



Need help!!!!!!!!!


Cisco Employee

Hello anersantana,I've done

Hello anersantana,

I've done this many times. Please use the below listed configuration and let me know how it goes.

Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal
group-policy noaccess attributes
 vpn-simultaneous-logins 0
 address-pools none

 ldap attribute-map LDAP-MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf <DN of the VPN group> <Group Policy Name>

aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host <IP-of-Windows-AD>
 server-port 389
 ldap-base-dn <AD base DN>
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-dn <login user DN>
 ldap-login-password <password for login user DN>
 server-type microsoft
 ldap-attribute-map LDAP-MAP

group-policy <Group Policy Name> internal
group-policy <Group Policy Name> attributes
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol IPSec l2tp-ipsec ...
 address-pools value <Address Pool Name>

tunnel-group <Tunnel group name> type remote-access
tunnel-group <Tunnel group name> general-attributes
 authentication-server-group LDAP-AD
 default-group-policy noaccess



Jatin Katyal

** Do rate helpful posts **

~BR Jatin Katyal **Do rate helpful posts**