Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
2
Replies

Trying to authentication users to an LDAP group - all users authenticated

Go to solution
baskervi
Level 1
Level 1

‎11-05-2010 09:03 AM

The ASA successfully authenticates all users whether or not they are in the OKCVPNAccess user's group, and the ASA properly sees the LDAP attribute map. There is only one policy.

[54]    memberOf: value = CN=OKC-VPNAccess,OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=local
[54]            mapped to IETF-Radius-Class: value = LDAPPolicy

I've gone through a lot of documentation on Cisco's web sites as well as looked at several forums, but I'm coming up with a blank as to what I can try next. I know this will work with RADIUS and I've used RADIUS several times in the past, so that isn't an option. I've been requested to do this with LDAP. Any suggestions? I've included the necessary part of the configuration, and I tried to sanitize it somewhat, so there may be a name mismatch here or there.

Thanks

ldap attribute-map LDAPMAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=OKC-VPNAccess,OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=local LDAPPolicy
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.12.34.248
server-port 389
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn xxx\vpn.auth
server-type microsoft
ldap-attribute-map LDAPMAP

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map CRYPTO-MAP 1000 ipsec-isakmp dynamic outside_dyn_map
crypto map CRYPTO-MAP interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify

group-policy CRYPTOGP internal
group-policy CRYPTOGP attributes
banner value Use of this system is ...Please disconnect immediately!
dns-server value 10.12.34.248 10.129.8.136
vpn-tunnel-protocol IPSec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
default-domain value xxx.local

tunnel-group CRYPTO-OKC-VPN type remote-access
tunnel-group CRYPTO-OKC-VPN general-attributes
authentication-server-group LDAP
address-pool IPPOOL
default-group-policy CRYPTOGP
authentication-server-group LDAP
tunnel-group CRYPTOOKC-VPN ipsec-attributes
pre-shared-key *

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎11-05-2010 10:52 AM

I think using LDAP map is just for matching a LDAP attribute to a group policy, you can control the user access by group policy.

here is an example.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

After the user get vpn connected, can you use "show vpn-sessiondb" to check which group-policy is used?

By the way, I did not see "LDAPPolicy" was defined in your configuration.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎11-05-2010 10:52 AM

I think using LDAP map is just for matching a LDAP attribute to a group policy, you can control the user access by group policy.

here is an example.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

After the user get vpn connected, can you use "show vpn-sessiondb" to check which group-policy is used?

By the way, I did not see "LDAPPolicy" was defined in your configuration.

0 Helpful

Go to solution
baskervi
Level 1
Level 1
In response to Yudong Wu

‎11-06-2010 01:41 AM

I missed this part. I'm about to try it, but I feel certain it will work. Thank you very much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents