Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6206
Views
0
Helpful
2
Replies

Cisco ASA - LDAP Attribute map - IETF-Radius-Class - map-value

Jasonch518_2
Level 1
Level 1

‎11-24-2010 09:47 PM

Hello,

I am trying to setup my ASA to do authentication for VPN useres, where specific group-policy will be assigned based on the AD group membership.

I know this can be achieved though the below commands:

ldap attribute-map CISCOMAP
  map-name  memberOf IETF-Radius-Class
map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local


aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.16.32.194
ldap-base-dn DC=xxxrite,DC=local
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *
ldap-login-dn CN=LDAP Reader,OU=Utility Accounts,OU=Information Technology,OU=xedixxx,DC=xxxrite,DC=local
server-type auto-detect
ldap-attribute-map CISCOMAP

group-policy Employees internal
group-policy Employees attributes
wins-server value 10.10.19.249
dns-server value 192.16.32.194 10.10.19.248
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN
default-domain value xxx.local
webvpn
  svc keep-installer installed
  svc ask enable default svc

The values have been changed to different names for this thread, but the basics are the same.  The issue I seem to be having is with the bold portion, where I have spaces in my CN & OU names for the map-value.  This is an existing infrastructure, and it is not really feasible to change the OU's to not have spaces.  Are there any other work arounds?  Is this fixed in a later code?  I am running 8.0(4).

There doesnt seem to be an issue with the spaces in the ldap-login-dn, just with the map-value for IETF-Radius-Class

Thanks for any help.

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-24-2010 09:58 PM

I don't think there is any problem with spaces for the CN or OU value.

One thing that I found from your ldap map configuration is you don't actually have the value to be mapped to.

From your example, it should be as follows:

ldap attribute-map CISCOMAP
  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

You are actually missing the "group-policy" name at the end of the map-value field.

0 Helpful

Jasonch518_2
Level 1
Level 1
In response to Jennifer Halim

‎11-24-2010 10:05 PM

Jennifer,

Thank you for the response.

That was a typo on my part, as far as leaving off the group-policy name in this thread, though it is part of my testing configuration.

map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

map-value memberOf CN=Test-Users,OU=PlaceHolder,OU=Outside-Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

The second string works, when I use the dashes, as far as the ASA is concerned, but it will throw a syntax erro with spaces.

This could be a limitation of the code, but I am unsure, and trying to find verification, or a work around.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents