wsani
asked on
ASA 5510 LDAP and LDAP attributes
Hello all,
I'm trying to setup two AnyConnect VPN profiles:
1. vpn0 - for all users that has limited access per split tunnel ACE, which is 10.20.50.0/24
2. vpn1 - primarily for me that gives me full access per split tunnel ACE, which consists of 10.20.50.0/24 and 172.25.111.0/24
In the future, there will be more subnets but the aforementioned are it for now. I've configured the VPN profiles with the LDAP attributes maps for each AAA server group. Here is the breakdown of my running-config for the LDAP attributes, etc.:
vpn0 ACL:
vpn1 ACL:
vpn0 LDAP Active Directory, the only difference between vpn0 and vpn1 LDAP group is the LDAP attribute map:
ad0map:
ad1map:
When I log-in using AnyConnect to either of the vpn0 or vpn1 groups, I'm able to log-in with users from either of the M$ security groups (vpn-users or vpn-admins). I'm trying to limit access per M$ security groups.
Any clues what the heck I'm doing wrong here? I feel like I'm running in a circle :)
running-config.txt
I'm trying to setup two AnyConnect VPN profiles:
1. vpn0 - for all users that has limited access per split tunnel ACE, which is 10.20.50.0/24
2. vpn1 - primarily for me that gives me full access per split tunnel ACE, which consists of 10.20.50.0/24 and 172.25.111.0/24
In the future, there will be more subnets but the aforementioned are it for now. I've configured the VPN profiles with the LDAP attributes maps for each AAA server group. Here is the breakdown of my running-config for the LDAP attributes, etc.:
vpn0 ACL:
access-list acl_split-tunnel-0 standard permit 10.20.50.0 255.255.255.0
access-list acl_split-tunnel-0 standard permit 10.20.60.0 255.255.255.0
vpn1 ACL:
access-list acl_split-tunnel-1 standard permit 172.25.111.0 255.255.255.0
access-list acl_split-tunnel-1 standard permit 10.20.50.0 255.255.255.0
vpn0 LDAP Active Directory, the only difference between vpn0 and vpn1 LDAP group is the LDAP attribute map:
aaa-server ad0 protocol ldap
aaa-server ad0 (inside) host 10.20.50.20
server-port 636
ldap-base-dn dc=domain,dc=local
ldap-group-base-dn dc=domain,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn,CN=Users,DC=domain,DC=local
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map ad0map
aaa-server ad0 (inside) host 10.20.50.30
server-port 636
ldap-base-dn dc=domain,dc=local
ldap-group-base-dn dc=domain,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn,CN=Users,DC=domain,DC=local
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map ad0map <-- ad1map for ad1 group.
ad0map:
ldap attribute-map ad0map
map-name memberOf Group-Policy
map-value memberOf CN=vpn-users,OU=Groups,DC=domain,DC=local GroupPolicy_arw-vpn_ldap0
ad1map:
ldap attribute-map ad1map
map-name memberOf Group-Policy
map-value memberOf CN=vpn-admins,OU=Groups,DC=domain,DC=local GroupPolicy_arw-vpn_ldap1
When I log-in using AnyConnect to either of the vpn0 or vpn1 groups, I'm able to log-in with users from either of the M$ security groups (vpn-users or vpn-admins). I'm trying to limit access per M$ security groups.
Any clues what the heck I'm doing wrong here? I feel like I'm running in a circle :)
running-config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.