Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN and LDAP - multiple attributes in map


I've recently configured VPN with LDAP to our Windows Server 2012. Within the LDAP Attribute Map which is assigned to the server group I have specified attribute name msNPAllowDialin and this works fine, but I was wondering if I can just add another attribute "memberOf" to the same map and specify there specific user group which should have VPN access. Will user be authenticated if both attributes are true I mean user has  "Allow access" enabled on NAP and belongs to the security group "VPN-Users"?

I've run some tests already and configured the following on my ASA 5510, but for some reason it doesn't work the way I want:) I would like to make sure that only users who belongs to "CN=MyBusiness VPN Users,OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp" group and have NAP set to "Allow access" can authenticate. I removed user from MyBusiness VPN Users group but he was still able to authenticate.


Any idea how I can I fix it? 

Thank you for your help!:)



ldap attribute-map LDAP2CISCO_MAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=MyBusiness VPN Users,OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp" 6
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin "FALSE" NOACCESS
  map-value msNPAllowDialin "TRUE" ALLOWACCESS


aaa-server agldap_ciscovpn (vlan-server) host
 server-port 389
 ldap-base-dn ou=Users,ou=MyBusiness,ou=BB Subsidiaries,dc=xxx,dc=corp
 ldap-group-base-dn OU=Security,OU=Groups,OU=MyBusiness,OU=BB Subsidiaries,DC=xxx,DC=corp
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=XX ldap account,ou=Service Accounts,ou=XX Users,dc=xxx,dc=corp
 server-type microsoft
 ldap-attribute-map LDAP2CISCO_MAP

Everyone's tags (1)
CreatePlease to create content