Hi Kings, I might not have understood correctly your question and confused whether you use LDAP or RADIUS as aaa-server in ASA. When you create a user in Windows AD the user should belong to a certain OU. The Default OU is Users if I'm not mistaken. If you run a dsquery against a user, e.g. test user then the query should return all user attributes. For example, I have a user named "ASA" in Users OU. The query will return the following (watch that Users is CN, not OU, go figure with this Microsoft why they did it this way).
C:\>dsquery user -samid ASA "CN=ASA,CN=Users,DC=com2see,DC=com" If you move the ASA user from Users OU to a custom OU, e.g. Staff then the query will return the OU part: C:\>dsquery user -samid ASA "CN=ASA,OU=Staff,DC=com2see,DC=com" So, if any user makes a connection to ASA, let's say via VPN and you want to use a so-called class 25 IETF RADIUS attribute and use LDAP attribute map to map this user to a particular ASA group-policy then you always have to watch for return from the AD. This return/reply will always list the user membership in AD. You'll always see at least "CN=Users,DC=domain,DC=com" part Run "debug ldap" on the ASA and watch the reply from AD. This should match with the output of "dsquery" run in the AD. Then your LDAP attribute map on the ASA should look like this: ldap attribute-map LDAP-MAP map-name memberOf IETF-Radius-Class map-value memberOf "CN=Users,DC=domain,DC=com" GROUP-POLICY-NAME Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: 29 March 2012 09:26 To: [email protected] Subject: [OSL | CCIE_Security] Mapping ldap user or Active directory user to ACS Group Hi all By default, if we create an user in Windows, they are part of "domain users" group. When we use ldap or active directory for authenticating unknown users, we have option in ACS to map the users to ACS local group. The issue that I am facing is that I am not able to map users that are part of "domain users" to any group. The reason is that Windows doesn't send attribute "member-of = domain users" for users that are part of "domain users" and always falls into default group. Any comments? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
