I recently enabled aliases and have them associated with the connection profiles I have defined. The problem I'm running into is regardless of what group I select from the drop down I always get dumped into the same group policy. The connection in the logs shows up correctly but the policy is always the same.
This is one of those problems I think I've just looked at too long and now I'm missing the obvoious.
Any help that someone can provide would be greatly appreciated.
Sounds like you have a group policy assigned to your user either locally on the ASA or via RADIUS attribute 25 or LDAP mapping. What type of authentication are you using on the tunnel groups you are testing with?
Users are being authenticated via ldap. I currently have one map definied and 3 different map values. What seems to be happening is if I have an account in each map value it associates with the first one regardless of the group-alias I select at login.
That is a limitation of the LDAP map feature. It will only look at the first memberOf attribute value. DAP doesn't have this limitation but in its current form cannot assign group policies within itself. In this case, the session would have to be properly segmented via the tunnel-group/group-policy association methods in order to work.
memberOf "VPN-Employees" > Group Policy "Employees"
memberOf "VPN-Contractors" > Group Policy "Contractors"
memberOf "VPN-Executives" > Group Policy "Executives"
Are you saying that only the first memberOf mapping is ever evaluated? As in, if a user is a member of VPN-Contractors, they will never match because VPN-Contractors is not the first memberOf attribute in the list?
Or are you saying that only the first matching memberOf attribute is evaluated? As in, If a user is a member of VPN-Employees and VPN-Executives, only the VPN-Employees memberOf attribute will match?
The ldap-attribute-map feature has a limitation with mult-valued AD attributes such as memberOf. If a user is a memberOf of several AD groups, the ASA will only parse or trigger on the 1st one. DAP doesn't have this limitation but DAP can't assign authorization attributes in its current form so you will need to have sessions properly segmented in to multiple tunnel-groups/group-policies. Based on your sample above, only your Employees group would be matched on.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...