Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with LDAP authentication for users in a group

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.

I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:

[6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN

[6707]  msNPAllowDialin: value = TRUE

I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.


ldap attribute-map AuthUsers
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN

aaa-server LDAP protocol ldap
 ldap-base-dn DC=COMPANY,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
 server-type microsoft
 ldap-attribute-map AuthUsers

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
  anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ikev1 ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value
  anyconnect profiles value COMPANY_SSL_VPN_client_profile type user

tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
 address-pool COMPANY-SSL-VPN-POOL
 authentication-server-group LDAP
 authorization-server-group LDAP
 authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
 default-group-policy NOACCESS
tunnel-group COMPANY_SSL_VPN webvpn-attributes
 group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
 ikev1 pre-shared-key *****

  • VPN
New Member

I just figured it out. Under

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

This widget could not be displayed.