I'm trying to configure an ASA5540 to use LDAP for remote access user authorization. I am using certificates for authentication, and using the userPrincipalName field from the certificate for authorization purposes. I am trying to set up a LDAP attirbute map which will only allow a user to connect to VPN if he/she is a member of a specific group. I haven't been able to get this working. The problem I have run into is that even if a user isn't a member of the group I have defined in the LDAP attribute map, the user will be authorized because the user account exists in AD. Any help would be greatly appreciated.
Can you post your ldap configuration and your ldap attribute map configuraiton? You need to map the memberOf value to the Radius-IETF-Class which will map to the desired group policy, when there is no match they should fall within the DefaultGroupPolicy (not the exact name) that then will not allow them to connect. please post your config and I will tell you what you are missing.
I'm actually not trying to use the LDAP map to put users into a group policy, I am using group urls and the users know which url to use. All I want the LDAP map to do is verify that the user is a member of the group they are trying to VPN with, and deny them access if they aren't. What I've noticed is that even if a user is not a member of the correct group, they will pass authorization.
Authentication is done by requiring client certificates and using OCSP responders to check for certificate revocation.
Ok, So basically you only have authorization required on the tunnel group, but you have not told the device what would be a non authorized state right?
Correct. I'm not really sure how to tell the ASA what it should be looking for. It seems like the LDAP attribute map options for IETF-Radius-Class are only for matching AD groups to VPN groups. I've been using Tunneling-Protocols, which does ensure the user connects with the proper method, but doesn't have a true/false option. Any suggestions?
When using the ldap map, you can map the memberOf for example to either a tunnel protocol, which is allowed and one which is not, or you can map that to a specific group policy which will have or not a permission to connect, I have made this several times and this is the most viable solution for me in your kind of setup.
I am using the memberOf attribute and tying it to the Tunneling-Protocols Cisco Name. Up until now, it seems like the ASA would accept the user even if they weren't a member of the AD group I am pointing it to. In my testing today though, if you aren't a member of the group it will take you to a "Goodbye" page. What gets returned to the ASA when it uses the LDAP attribute map?
This should give you an idea of what I am talking about:
Thanks for your help. After looking through those, I think I am going to have to change some AD settings to get this to work as I envisioned.
I'm with the same problem.. i want to allow only the users that are in the VPN group. But.. the ASA seems to allow access for all users not just for that are in the VPN group.
I read the links that imartino sends.
Have you solved this problem? How?
Can you post the config that you have created to restrict the user? what is your policy to restrict the user are you using group policy tunnel protocol? are you using dial in access?
Here is the config of the ASA about the aaa, ldap, and VPN... I don't know what is missing.
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN,DC=domain,DC=local VPNPOLICY
Where the VPN is the group that my Users must be to authenticate and have VPN access to the network, If the user isn't in the VPN group of AD the user could not connect.
aaa-server LDAPSERVER protocol ldap
aaa-server LDAPSERVER (inside) host LDAPHOST
Where LDAPHOST is the server that have the AD. and the asavpn is the user that have right to authenticate in the AD.
Here is the tunnel-group conf
tunnel-group VPN general-attributes
group-policy VPN internal
group-policy VPN attributes
dns-server value 192.168.1.4
Here is some part of the debug of ldap auth process.
 displayName: value = Fabio Silva
 uSNCreated: value = 15114
 memberOf: value = CN=VPN,DC=domain,DC=local
 mapped to IETF-Radius-Class: value = VPNPOLICY
But.. if i remove the user from the VPN group of AD the authentication still success.
What is not good?
That is because the user is assigned to the default group-policy that is configured on the tunnel group it is connecting to. You need to make this default group-policy to somehow avoid the user to connect if they are not mapped to the correct group-policy, what I use to do this is setting the tunnel-protocol to something different than IPSec
i know thats an old post - but you can try to set the Simultaneous Logins of the DefaultGroup = 0. so nobody who becames the Default Group will be able to login.