Below you will see that I have configured two memberOf mapings. The second is what I need help with.
The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine. However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP. My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find' searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather only the original path where the user group Finance Users truely exist.
I know I can enter the full path to the true OU and this would work but this is defeating the purpose of simplifying this.
I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the container VPN_CORP? Am I stuck adding users individually?
I know with at least ASA code 8.2(3) using DAP's you can select users based on Active Directory Security group membership rather than OU based membership. No LDAP attribute tricks needed, you just setup LDAP to look at your domain and then you can see your list of security groups and pick and choose.
I know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.
Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.
I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?
So if I understand this right I can take multiple LDAP membersof and use or/and to make a policy match. In my case there would be an LDAP memberof for each location with them all "or" together? can I take this one step further and depending on where the match is also modify the network list the user has access to?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...