Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Microsoft AD based security group authentication for VPN

I have anyconnect setup to authenticate via ldap with a microsoft domain.  I get successful authentication replies on testing user accounts.  I am trying to set up AD security group based authentication so I can set the default tunnel-group policy to NOACCESS and have members of an AD security group sent to another group-policy.

I believe it is setup according to countess documentation(s) on the topic, however I think that 'other' AD groups are causing the user(s) not to get the correct group policy.  See the snippet from a debug ldapp 255:


[-2147483640]   memberOf: value = CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xx,DC=xx,
[-2147483640]           mapped to Group-Policy: value = districtemployee
[-2147483640]           mapped to LDAP-Class: value = districtemployee
[-2147483640]   memberOf: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,
[-2147483640]           mapped to Group-Policy: value = CN=Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN= Network Admins,OU=Security Groups,OU=Domain Groups,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]   memberOf: value = CN=PC Technicians,OU=IT,DC=xxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to Group-Policy: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx
[-2147483640]           mapped to LDAP-Class: value = CN=PC Technicians,OU=IT,DC=xxxx,DC=xxx,DC=xx,DC=xx

The user authenticates successfully, but I believe it is rolling into the default group-policy because the other non-mapped groups are changing the group-policy name to match the distinguished name of the other groups.  Here is my attribute map:


ldap attribute-map LDAP_MemberOf
  map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectVPNUsers,OU=Security Groups,OU=Domain Groups,DC=xxxx,DC=xxx,DC=xx,DC=xx" districtemployee


Does anyone have this working with multiple groups per user?  I was sure that it was a bug but I have upgraded to the latest train of code on this asa and still the same issue.




CreatePlease to create content