Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Configuring LDAP Group IPSEC VPN Authentication


I would like to know if it is possible to authenticate VPN users via LDAP to a security active directory group. I know you can do this with the WebVPN and assign different VPN group policies, but I would like to either permit/deny login access through the IPSEC VPN based on Active Directory group membership.

Any help configuring this would be appreciated.


Re: Configuring LDAP Group IPSEC VPN Authentication

Just for the record, I did get it working based on OU membership, but I'd like to know if there is a way to get it working based on security/distribution group membership.


New Member

Re: Configuring LDAP Group IPSEC VPN Authentication

These two articles helped me with getting this to work on an ASA5520:

Sorry for piggybacking on your thread here, but I'm struggling with one part of what I'm trying to accomplish. I want to grant VPN access ONLY if the user is in a specific group. If the user isn't a member of that group, I want to deny access. Right now, group mapping is working (AD group to Tunnel Group), but any user that exists in Active Directory is allowed access.

The only solution I can come up with is to have two AD security groups, one that allows access and one that doesn't, and map the two groups to two different tunnel groups (again, one that allows and one that denies). This is less than ideal. Any thoughts from anyone?