I have setup my users to authenticate via ldap for RA VPN on my ASA 5520. The users get logged in without any issues and get the correct information but I found the users are able to login under another group name. Originally I was using the tunnel-lock option when they were local users but now that appears to not be working anymore. I've setup the mapping to authenticate the users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value. Is their something I'm missing?
It sounds like you are on the right track. You can either configure the tunnel group lock under the respective group policy or utilize an LDAP attribute map to associate the lock. For example, you could look at the Department associated with the user and use the corresponding value to lock them to the corresponding tunnel group.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...