Jeff, On Mon, Jan 30, 2012 at 16:41:00, Jeff Kell wrote: > Subject: [c-nsp] Quick (?) ASA VPN w/AD question... > > Trying to break some new ground on ASA 8.4(2) VPN configuration (quite > a number of > changes....) > > Need to map AD group membership onto a group policy selection. > > (1) Previous examples are using the Cisco name "IETF-Radius-Class" to > map into the policy name, while 8.4(2) seems to want "Group Policy" > saying that replaces IETF-Radius-Class. > > (2) You can now specify a "Group Base DN" for the group membership > location, so I have a "OU=Groups,DC=our,DC=domain,DC=specification". > > I don't seem to be getting hits on the group membership (memberOf) on > any > of: > > a) plain old group name (FOOBAR), > b) qualified item name (CN=FOOBAR), > c) fully-qualified group name > (CM=FOOBAR,OU=Groups,DC=our,DC=domain,DC=specification) > > Anyone crossed this bridge and kept notes they could share?
I have a fair amount of notes on 8.4.1 and below. I didn't see anything in the release notes for 8.4.2 that hinted to a change in LDAP. Unless I'm confusing it with another option, the group base dn is where the search for your users starts. Unless you're using DAP, the matching is still in the traditional LDAP map. I've found the easiest way to find the proper groups is to start with login@domain.local/com/whatever and password and query a username for authorization. Here's an example: aaa-server LDAP (inside) host 192.168.168.168 ldap-base-dn OU=Foo,DC=test,DC=local ldap-scope subtree ldap-login-password ***** ldap-login-dn CN=ldapadmin,OU=Foo,DC=test,DC=local (ldapadmin@test.local also works) server-type auto-detect ldap-attribute-map memberOf ! test-fw1# debug ldap 255 debug ldap enabled at level 255 test-fw1# show run ldap ldap attribute-map department ldap attribute-map memberOf map-name memberOf IETF-Radius-Class map-value memberOf "CN=cust1-test,OU=Foo,DC=test,DC=local" cust1-test map-value memberOf "CN=vpn_users,OU=Foo,DC=test,DC=local" work test-fw1# test aaa autho LDAP host 192.168.168.168 username rwest INFO: Attempting Authorization test to IP address <192.168.168.168> (timeout: 12 seconds) . . . [68587] memberOf: value = CN=cust1-test,OU=Foo,DC=test,DC=local [68587] mapped to IETF-Radius-Class: value = cust1-test [68587] mapped to LDAP-Class: value = cust1-test [68587] memberOf: value = CN=vpn_users,OU=Foo,DC=test,DC=local [68587] mapped to IETF-Radius-Class: value = work [68587] mapped to LDAP-Class: value = work A couple of caveats on the testing; your primary POSIX group does not show up in the LDAP query (usually Domain Users) and your first match is the winner (unless you are using DAP policies that allow combining). -ryan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/