Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA - LDAP Attribute map - IETF-Radius-Class - map-value

Hello,

I am trying to setup my ASA to do authentication for VPN useres, where specific group-policy will be assigned based on the AD group membership.

I know this can be achieved though the below commands:

ldap attribute-map CISCOMAP
  map-name  memberOf IETF-Radius-Class
map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local


aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.16.32.194
ldap-base-dn DC=xxxrite,DC=local
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *
ldap-login-dn CN=LDAP Reader,OU=Utility Accounts,OU=Information Technology,OU=xedixxx,DC=xxxrite,DC=local
server-type auto-detect
ldap-attribute-map CISCOMAP

group-policy Employees internal
group-policy Employees attributes
wins-server value 10.10.19.249
dns-server value 192.16.32.194 10.10.19.248
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN
default-domain value xxx.local
webvpn
  svc keep-installer installed
  svc ask enable default svc

The values have been changed to different names for this thread, but the basics are the same.  The issue I seem to be having is with the bold portion, where I have spaces in my CN & OU names for the map-value.  This is an existing infrastructure, and it is not really feasible to change the OU's to not have spaces.  Are there any other work arounds?  Is this fixed in a later code?  I am running 8.0(4).

There doesnt seem to be an issue with the spaces in the ldap-login-dn, just with the map-value for IETF-Radius-Class

Thanks for any help.

2 REPLIES
Super Bronze

Re: Cisco ASA - LDAP Attribute map - IETF-Radius-Class - map-val

I don't think there is any problem with spaces for the CN or OU value.

One thing that I found from your ldap map configuration is you don't actually have the value to be mapped to.

From your example, it should be as follows:

ldap attribute-map CISCOMAP
  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

You are actually missing the "group-policy" name at the end of the map-value field.

New Member

Re: Cisco ASA - LDAP Attribute map - IETF-Radius-Class - map-val

Jennifer,

Thank you for the response.

That was a typo on my part, as far as leaving off the group-policy name in this thread, though it is part of my testing configuration.

map-value memberOf CN=Test Users,OU=PlaceHolder,OU=Outside Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

map-value memberOf CN=Test-Users,OU=PlaceHolder,OU=Outside-Contacts,OU=xedixxx,DC=xxxrite,DC=local Employees

The second string works, when I use the dashes, as far as the ASA is concerned, but it will throw a syntax erro with spaces.

This could be a limitation of the code, but I am unsure, and trying to find verification, or a work around.

Thanks!

5651
Views
0
Helpful
2
Replies