cisco asa anyconnect ldap map

I'm just curious.   we have our cisco asa configured for use with active directory security groups.    i have one connection profile and multiple group policies that map to certain security groups in AD.   i'm curious if a users happens to be a member of more than one security groups how does the asa know which group policy to apply?
techlindenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Its top to bottom order.

If the vpn user id matched on the top OU  in AD, then ASA wont check for the next  OUs in the AD.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
fore more info,

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Q. Are there limitations with ldap-attribute-maps and muti-valued attributes like AD memberOf?

A. Yes. Here, only AD is explained, but it applies to any LDAP server that uses multi-value attributes for policy decisions. The ldap-attribute-map has a limitation with multi-valued attributes like the AD memberOf. If a user is a memberOf of several AD groups (which is common) and the ldap-attribute-map matches more than one of them, the mapped value will be chosen based on the alphabetization of the matched entries. Since this behavior is not obvious or intuitive, it is important to have clear knowledge about how it works.


LDAP-MAP #1: Assume that this ldap-attribute-map is configured to map different ASA group-policies based on the memberOf setting:

ldap attribute-map Class
 map-name  memberOf Group-Policy
 map-value memberOf CN=APP-SSL-VPN Managers,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup4
 map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup3
 map-value memberOf CN=Employees,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup2
 map-value memberOf CN=Engineering,CN=Users,OU=stbu,DC=cisco,DC=com ASAGroup1

In this case, matches will occur on all four group policy values (ASAGroup1 - ASAGroup4). However, the connection will be assigned to group-policy ASAGroup1 because it occurs first in alphabetical order.
0
techlindenAuthor Commented:
if we created multiple connection profiles, how would we make it so that a user in one connection profile couldn't use a different connection profile to get the same policy?

i created an additional profile for our contractors but they can still use the other connection profile and get the same group policy.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
//if we created multiple connection profiles, how would we make it so that a user in one connection profile couldn't use a different connection profile to get the same policy?//

As stated, the connection profile will be selected based on the number of characters in alphabetic order.

//i created an additional profile for our contractors but they can still use the other connection profile and get the same group policy. //

Can you paste your LDAP profile configuration.

If you use your new profile name is very similar to the old one, then you may either remove the contract users from that group and use new OU for contractors or give other name to the new profile which will be prefer most
0
techlindenAuthor Commented:
it's the grouppolicy_sap.    tunnel-group SAP type remote-access.    users can log into either cjes tunnel profile or SAP and get the group policy for the SAP ou.


ldap attribute-map AD_VPN
  map-name  memberOf Group-Policy
  map-value memberOf "CN=IT_Admin_Accounts,OU=CJES Admin,DC=CJES,DC=local" GroupPolicy_cjes_admin
    map-value memberOf "CN=SG_SAP_CONTRACTORS,OU=Security Groups,DC=CJES,DC=local" GroupPolicy_SAP
  aaa-server cjes protocol ldap
 max-failed-attempts 5
aaa-server cjes (inside) host 10.1.50.70
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.