Cisco ASA LDAP attribute-map the things they did’nt write clearly


The Cisco ASA introduced a feature to allow a granular control of VPN access (under one form or another) based on LDAP group membership. This post is after working through a number of configurations that just did not work or worked in a sporadic manner. This configuration is based on AnyConnect Essentials SSL/IPSEC VPN authentication and access. I learnt that just because it does not work could infer two possibilities:

1) Its configured wrong

2) Its a Bug (this caused me 4 hours of head scratching on 8.4(5)) 

The configured LDAP attribute map is as follows:

ldap attribute-map LDAP-ATTRIB-MAP
  map-name  memberOf Group-Policy
  map-value memberOf CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL GPO-ALLOW
  map-name  primaryGroupID Group-Policy
  map-value primaryGroupID 513 GPO-NOACCESS

The configuration identifying this LDAP value “memberOf CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL” maps to a VPN Group Policy on the ASA of GPO-ALLOW. In a means to deny any other users from connecting is matched with “primaryGroupID 513” (Domain Users) maps to a VPN Group Policy on the ASA of GPO-NOACCESS. The LDAP attribute map is then assigned to a AAA LDAP server group.

Your friend in this is the debug console and specifically “debug LDAP 255”.  When looking at the output of the debug you can see the LDAP groups being matched to the ASA Group Policies. 

memberOf: value = CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL
mapped to Group-Policy: value = GPO-ALLOW
mapped to LDAP-Class: value = GPO-ALLOW

memberOf: value = CN=VPN_Users,OU=VPNUSER,OU=OX14_Users,DC=OX14,DC=LOCAL
mapped to Group-Policy: value = GPO-NOACCESS
mapped to LDAP-Class: value = GPO-NOACCESS



I’ll update this soon with  a full point and click ASDM guide.