11-24-2010 09:47 PM
Hello,
I am trying to setup my ASA to do authentication for VPN useres, where specific group-policy will be assigned based on the AD group membership.
I know this can be achieved though the below commands:
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.16.32.194
ldap-base-dn DC=xxxrite,DC=local
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *
ldap-login-dn CN=LDAP Reader,OU=Utility Accounts,OU=Information Technology,OU=xedixxx,DC=xxxrite,DC=local
server-type auto-detect
ldap-attribute-map CISCOMAP
group-policy Employees internal
group-policy Employees attributes
wins-server value 10.10.19.249
dns-server value 192.16.32.194 10.10.19.248
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN
default-domain value xxx.local
webvpn
svc keep-installer installed
svc ask enable default svc
The values have been changed to different names for this thread, but the basics are the same. The issue I seem to be having is with the bold portion, where I have spaces in my CN & OU names for the map-value. This is an existing infrastructure, and it is not really feasible to change the OU's to not have spaces. Are there any other work arounds? Is this fixed in a later code? I am running 8.0(4).
There doesnt seem to be an issue with the spaces in the ldap-login-dn, just with the map-value for IETF-Radius-Class
Thanks for any help.
11-24-2010 09:58 PM
I don't think there is any problem with spaces for the CN or OU value.
One thing that I found from your ldap map configuration is you don't actually have the value to be mapped to.
From your example, it should be as follows:
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees
You are actually missing the "group-policy" name at the end of the map-value field.
11-24-2010 10:05 PM
Jennifer,
Thank you for the response.
That was a typo on my part, as far as leaving off the group-policy name in this thread, though it is part of my testing configuration.
map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees
map-value memberOf CN=Test-Users,OU=PlaceHolder,OU=Outside-Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees
The second string works, when I use the dashes, as far as the ASA is concerned, but it will throw a syntax erro with spaces.
This could be a limitation of the code, but I am unsure, and trying to find verification, or a work around.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: