hostname(config-aaa-server-group)# server-type microsoft
[b]Set the authentication server equal to server-group under the tunnel-group
tunnel-group LDAPVPN type remote-access
tunnel-group LDAPVPN general-attributes
address-pool <pool name>
default-group-policy <name of policy>
tunnel-group LDAPVPN ipsec-attributes
Using LDAP to authenticate VPN users connecting to an ASA through AD but users in a particular group in AD should only be able to VPN into the ASA and no other user in AD should be able to connect through VPN.
The configurationaboveis to allow users in “VPN Users” group in AD to connect through VPN but in order to deny VPN access to any other user in AD we need to make sure that “deny access” option is checked under the “Dial in” tab for the user in AD. By doing this, AD will return msNPAllowDialin value as False which will be matched on ASA under ldap attribute. If the returned value from ADand the configured value on ASAmatches thenit will bemappedto the “novpnaccess”group policy on ASA which says vpn-simultaneous-logins 0 and that particular user will not be having vpn access. However all other users in ‘VPN Users’ group will be able to connect via vpn and will be mapped to policy1.
By default the customershave “control access through remote-access policy” configured for all the users in AD under the “Dial in” tab. And when this option is checked “msNPAllowDialin” attribute is not returned by AD and therefore we cannot use this attribute to map to the “novpnaccess” group policy on ASA. As a result the customers are forced to check the “deny access” option in Active Directory to deny him/her VPN access.