Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Cisco - LDAP authentication on Cisco ASA with dialin restriction

On ASA we need to configure folowing config. First we configure the LDAP attribute map.

ldap attribute-map VPN-Map

map-name memberOf IETF-Radius-Class >>>>>> Define Radius class attribute.

map-value memberOf CN=DomainAdminVPN,CN=. truncated>>>>Define Group membership for user.

map-name msNPAllowDialin IETF-Radius-Class>>>>If have Dialin permission enabled and is a member of DomainAdminVPN group in AD, he would allowed access.

map-value msNPAllowDialin FALSE NoVpnAccess>>>>If Dialin permission is not checked, That user would be mapped with NoVpnAccess VPN group policy..

group-policy NoVpnAccess attributes>>>> Create group policy named NoVpnAccess.

vpn-simultaneous-logins 0 >>>> Allow 0 Logins for users of this group.

If users are not a member of the defined group (DomainAdminVPN), and their Dialin access is set to Deny, the are dropped into the NoVpnAccess group policy, which allows 0 connections.

Version history
Revision #:
1 of 1
Last update:
‎11-24-2010 01:37 AM
Updated by:
Labels (1)