Authenticate with a user's LDAP username and password is working fine.
I've hit Google pretty hard but can't seem to find a simple answer. It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.
Cisco ASA LDAP authentication with openldap and groups
The solution proposed by Carl Davis worked for me pretty well! I had LDAP authentication working, but I wanted to allow only users in the "vpn" group to login. I set up two LDAP entries, one for authentication and a second one for authorization.
Re: Cisco ASA LDAP authentication with openldap and groups
Greetings, not to bring up a post from the WAAAYY back, but this post kept cropping up when I was trying to do the same thing. I seem to have been able to get it to work. I wanted to respond to this in case others find the post and it can help them. This is for ASA version 8.2(2)12
Essentially, what I did was add a secondary Authorization group that only authorizes the user. I believe these are the relevant sections:
[This authenticates the user against the Mac OS LDAP server]
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...