ISE 1.1.1. and additional LDAP attribute retrieval
Hello All,
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
Can anyone help me how this can be set on ISE?
Thanks!
Regards
Karel Navratil
Yes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
Here are some screenshots:
authorization rule:
ldap attribute in external identity source:
and the logs:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11105 Request received from a device that is configured with KeyWrap in ISE.
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12209 Starting EAP chaining
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24430 Authenticating user against Active Directory
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12200 Approved EAP-FAST client Tunnel PAC request
12219 Selected identity type 'Machine'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
11055 User name change detected for the session. Attributes for the session will be removed from the cache
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24431 Authenticating machine against Active Directory
24470 Machine authentication against Active Directory is successful
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12201 Approved EAP-FAST client Machine PAC request
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12855 PAC was not sent due to authorization failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12512 Treat the unexpected TLS acknowledge message as a rejection from the client
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
So no any information that ISE tries to retrieve something from LDAP.
Regards
Karel
Similar Messages
-
What is the best way update similar OID and OAM LDAP attributes via OIM?
Our environment uses OIM provisioning to an OID LDAP which is used by OAM.
For legacy purposes, we need to populate both the Oracle "orcl*" attributes and OAM "ob*" in cases where they have the same or similar usage.
Example: When a user is disabled in OIM we need to set orclisenabled="false" and obUserAccountControl="DEACTIVATED" in OID
What is the best way to accomplish this in OIM? My initial thought was to write a custom adapter, similar to the out-of-the-box OID Modify User adapter, which supports modifying multiple attributes.
Is there a better way?You can create two tasks which will modify two attributes of OID.
On Disable user task, call task1 and on Success of task1, call Task2 (using Task to Generate Feature).
You can make use of OOTB connector only. -
Problem with getting LDAP attributes on ISE when EAPChaining is enabled
Hi All,
has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
My scenarios is:
- user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
- ISE authenticates username and password against Active Directory
- ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
- If the attribute is found, then authorization profile is matched.
This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
In logs I've found that the user was not found in LDAP, but the user exists.
Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
Does anybody have an idea how to solve this?
Thanks!
K.Hi,
This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
Referencing acs material since ise docs are not complete:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
Sent from Cisco Technical Support Android App -
OAM 11gR2 Authentication using username/password/additional ldap field
I want to add additional credential parameter along with username and password to be validated against LDAP.
Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
This solutions exist in 10g and could not find any OOB feature in 11g.Do you need to accept additional parameter from user via login form & then use it in credential mapping step
Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
Additional ldap attribute against static value
If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
Take a look at "MTLDAPPlugin" under custom authentication modules
Hope this helps -
ISE 1.1.1 and LDAP debugging
Hello,
does ISE has any debug logs for LDAP communication during authorization - like obtaining attributes from LDAP server?
Thanks.
Regards
KarelYes it does,
Here are the steps
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
If you scroll down there is a debug log level config section. Please set client, and the runtime to trace, reproduce, and download the ise.psc log.
Thanks
Sent from Cisco Technical Support iPad App -
Using additional userprofile attributes from LDAP
Hi,
my users are inside an OpenDS LDAP-Server connected to SSGD 4.41 - all works fine.
I would like to store some additional SGD attributes like
UserProfile.Multiple = yes/no
(Multiple: Whether someone may log in using this user profile and whether this user profile will be shared by multiple users in the form of a "guest" account.)
also inside the LDAP (extending my own LDAP-schema).
Question: How can i tell SSGD to use this attribute UserProfile.Multiple from LDAP instead of looking into the
local repository ?
regards
DannyHi Danny,
I don't think you can do this, as user profile data is never read from the LDAP directory. LDAP users always have to be mapped to a local profile (from the SGD datastore), meaning that any attributes on the user object from the LDAP directory wouldn't be considered when evaluating a user's profile.
Does anyone else have a take on this?
-- DD -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig -
Address Book now showing all LDAP attributes
The Address Book does not provide access to all LDAP attributes. For example
homePhone
homePostalAddress
labeledURI
are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
I am just wondering if anybody else if having this problem and if they found a solution?the script did not work for me
python fixBirthdays
Traceback (most recent call last):
File "fixBirthdays", line 6, in <module>
import AddressBook
ImportError: No module named AddressBook
further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
this is what isee for the date field.
item1.X-ABDATE;type=pref:2003-06-17
year is not negative either.
i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
no show of the birthdate.
stumped. -
Error 5398 Duplicate value addition in attribute ...
I'm seeing the following error messages in my error log and am not sure what to do about it since the reference guide does not list it. Solaris 8, DS 5.2.
ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "objectClass" of entry "ou=Configs, o=Contivity, o=vpn"
ERROR<5398> - Entry - conn=-1 op=-1 msgId=-1 - Duplicate value addition in attribute "objectClass" of entry "cn=14649, ou=Configs, o=Contivity, o=vpn"
Here are some historical events that may help shed light on things:
The errors are occuring on Searay. I have another LDAP server called Mantaray. Here is some historical data that ay help shed light on the matter:
I wanted the DNS domain the LDAP was using changed on Searay so I configured searay:o=vpn for Master replication and created o=vpn on Mantaray and configured it as a consumer.
After the suffix was replicated I broke the replication and unconfigured Searay and then configured it. I then did the reverse and made Mantaray:o=vpn the master and Searay:o=vpn the consumer. I then broke the replication again and tried to get Multi-Master replication to work between the two servers. It took a few tries before things seemed to start working right.This thread (http://swforum.sun.com/jive/thread.jspa?forumID=13&threadID=21473) seems similar but I cannot find where the nsslapd-rererral that kunal mehta mentions is located.
I did look at the des.ldif for each server and both looked okay. -
Inbound mail routing based on LDAP attribute mailsystem
Hi gents and ladies,
i have a small question ...
is it possible to route an email to a recipient based on an LDAP attribute like mailsystem or ldap attribute domain ?
We have an infrastructure with domino and Xchange. All users have a - so called - maindomain.net SMTP Address.
Is it possible to manage such routing via mail policies or message filters ?
Or is it just easy to realize this jjust with SMTP routing list ? e.g. maindomain.net gets an entry in SMTP routing pointing to the domino gateway ... if no delivery is possible the default gateway (Xchange gateway) would be used instead ?
Thanks in advance for your help and hints.Hello HPGroh2013,
I think I answered your question in the previous entry, at least it looks the same to me.
Regards,
Andreas -
Word 2013 and Active Directory attribut
Hi,
I'm working with WS2008R2 SP1 AD and Office standard 2013 and W7 SP1 x64. Our compagny wants to create .dotm/.dotx with automatic fields.
For example, we want that when a user opens a .dotx his name appears automatically. This one is easy it's the {AUTHOR \*MERGEFORMAT}.
But What we want to do is to do the same for the:
- street adress
- email adress
- the job title
All informations are in our Active Directory, but it seems that Word does not read directly the Active Directory info but some cached info on the computer.
So, is there a way or workaround to create some .dotx with the possibility to extrat some AD fields attribut attached with some user and at the end to build a semi automatic doc with the information of the user who has open this .dotx/.dotm?
So far, clues say that I have to write some vba script and 2 kind of solution/workaround:
The first lead is:
To retrieve the user account properties from Active Directory, we have to turn to some VBA scripts, no way to achieve this via any built-in features.
As far as I know, you can bind to the user account object by using the
GetObject function and the LDAP provider.
Then use the GetInfo method to initialize the local cache with attributes of the user account object. This step will ensure that the most up-to-date attribute values of the ADSI object are retrieved.
For example:
Set objUser = GetObject _
("LDAP://...")
objUser.GetInfo
If you want to get this attributes when you create a new document based on a template (.dotx/.dotm), you'll need to use the
AutoNew macro.
the second lead is:
http://heureuxoli.developpez.com/office/word/creermodele/#L2-G
Thank you in advance for any king od answer.
best regardsHello,
Have you tried these two methods? What is the result and what is your decision?
If you're familiar with Visual Studio IDE and .Net Framework, I would recommend that you create a application-level or document-level Add-In for word. Because it's easy to access the AD with managed code, and it's suitable in your case. You can check the
MSDN document here for the related objects you need to use in .Net Framework to access AD:
https://msdn.microsoft.com/en-us/library/gg145037(v=vs.110).aspx
But if you just want to use VBA for Word, this kb article tells you how to do this via ADO connection:
https://support.microsoft.com/kb/187529/en-us?wa=wsignin1.0
If you want to know something about Active Directory itself, then it's not the correct forum, you can open up new thread in the AD forums for help.
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Roles Setting and Removing Resource Attributes
Hello All,
I have a quick question (Which I hope has a quick answer). I am trying to set up a role, so that when it is assigned to a user, sets an attribute value on an LDAP resource. Then, when the role is removed from the user, the attribute value is cleared. When setting up the role, I specified the resource as assigned, and then set the attribute. When I set the role on a user, it is successfully setting the value in the attribute. When I remove the role from the user, it is not removing the value in the attribute. Is there an easy way to do this?
Thanks!Hi,
When setting the RoleAttribute you need to set "Authoritive Set to Value, Clear Existing", then when the Role is removed from the user the attribute value is deprovisioned. Unfortunately this also has the affect of removing any other value that the attribute may have (especially true since many LDAP attributes are multi-valued).
HTH,
Paul Walker -
Hi Friends,
Is it possible to read an LDAP attribute of a logged user from WD application running in portal? How and where to see all the available attributes in LDAP?
Thanks in advance
Nathan.Hi Nathan,
Right now i am also working on using attribute value of LDAP users in webdynpro application. You need to work on UME API.which is availabel on SDN.
you will get the values in webdynpro application through these API.
Thanks,
sahu -
Windows LDAP attributes match for the Synology LDAP client profile filter.
I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
Refer following image.
This topic first appeared in the Spiceworks CommunitySpecify a Dynamic Access Profile with:
Criteria: User has ALL of the following AAA attribute values...
ldap.memberOf != GroupName
cisco.tunnelgroup = TunnelGruopName
Should work
/K -
AnyConnect and nested LDAP memberof
Hi
Below you will see that I have configured two memberOf mapings. The second is what I need help with.
The first AD group named VPN_CORP contains users that require access to our corporate office through VPN. This works fine.
However, I think it would be easier to adminisrate if I can drag user groups under the VPN_CORP group. I've created
this second "Finance users" mapping and placed an existing AD user group named 'Finance Users' under VPN_CORP.
My problem is this isn't working. Although the AD group "Finance Users" is under VPN_CORP, if I execute a domain 'find'
searching for my test user dfood, it doesn't show me that dfood is suboedenant to group VPN_CORP, Finance Users but rather
only the original path where the user group Finance Users truely exist.
I know I can enter the full path to the true OU and this would work but this is defeating the purpose
of simplifying this.
I guess what I'm trying to ask is how can I configure this to traverse groups dropped into the
container VPN_CORP? Am I stuck adding users individually?
Sincerely
Jeff
ldap attribute-map ACME_LDAP_Map
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN_CORP,CN=Users,DC=acme,DC=com CORP-Policy
map-value memberOf “CN=Finance Users,CN=VPN_CORP,CN=Users,DC=acme,DC=com” CORP-Policy
aaa-server LDAP_SRV_GRP (inside) host 10.8.16.140
server-port 636
ldap-base-dn DC=acme,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password .x.x.x.x.
ldap-login-dn XXXXXXXXXXXX
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map acme_LDAP_MapI know this is from over a year ago and was wondering if anything had changed? I to am looking to try to use nested members for my VPN authentication.
Here is why... When our server group originally set the network up they created base groups. Then under each base group they created our different locations and placed users into those location levels. This made it easier for them to research issues with a specific group or supposedly run reports to give the security stuff for a specific location across the board. Right, wrong or indifferent I an now trying to fit this into our new AnyConnect VPN deployment. I am going to have over 300 different users and have been asked to try to keep this mothod.
I noticed in the above that there was a reference to DAP? If that is the solution where can I find more information on how this works and how to set it up?
Brent
Maybe you are looking for
-
I can't Connect my MacBook to my Windows PC!!!
HELP! I've tried calling Apple AND Dell and no one can help me! I read Switch 101 and the Great Migration. My computers are hooked up by an ethernet cable but I can't set up a network. I need to transfer my files from my PC to my MacBook. Can anyone
-
I am trying to do this with an O-Scope VI, and I am very new at LabVIEW, so please excuse any errors, or obvious questions.
-
[email protected]; [email protected], if I only want first part of string, I meant before ; is that split is the only way to handle this case?
-
I re-installed Snow Leopard (10.6.3) today to clean up my Macpro which has been quite hinky and slow. Since doing so I have not been able to reintall iLife 11. I get a message saying the installation failed and to contact the manufacturer. (??) I do
-
HT204387 cannot pair phone and car hands free using bluetooth!!! HELP!
I just bought a VW Scirocco 2010&the previous owner used the car handsfree bluetooth with his 2 phones(nokia&blackberry)with no problems.I have iphone 4 and although the car finds the phone,the phone never finds the car; it keeps looking for a device