Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Group Policy assigned by LDAP Authorization to seperate Forest

Using ASA 5520 IOS 7.2(4), I need to support VPN access to our network during a migration from our current AD Forest to a seperate AD Forest (yes Forset, not just domain within the same Forest). Authentication is by SSL cert, it is the LDAP Authorization that I'm having trouble with. How can I check for userPrincipleName via LDAP to 2 seperate LDAP servers in 2 different AD Foresets? The idea is that if the userPrincipalName is not present from one AAA Server Group, it goes to the next.


Re: Group Policy assigned by LDAP Authorization to seperate Fore

If the user is a member of 'vpnusers' group, then they would authenticate to an ACS server (using RSA). One issue we have here is we do authentication before authorization. The users would authenticate to the ACS server and then LDAPauthorization be next. If the user is in the 'vpnusers' group, then they would be put in the 'vpnusers' group-policy.

New Member

Re: Group Policy assigned by LDAP Authorization to seperate Fore

Thanks for the post. Unfortunately I can't do that (use the ACS for authentication). I'm forced by regulatory policy to use a central Corporate OCSP responder to authenticate and validate the SSL cert passed by the client (user). Due to the fact that the info provided by the client is the same both pre and post migration, there is no unique attribute to determine which Group Policy / Tunnel Group to use.

That is why I tied listing both domain controllers as servers under the same AAA Server Group hoping that if the LDAP query failed on the first it would send another query to the second. It appears if it receives a response from the first one in the list, it stops and does not try to query the other servers listed.