I was talking a different issue. On CLN, I have discussed this issue and got the solution.
https://learningnetwork.cisco.com/message/223095#223095 With regards Kings On Fri, Mar 30, 2012 at 7:35 AM, Eugene Pefti <[email protected]>wrote: > Hi Kings, **** > > I might not have understood correctly your question and confused whether > you use LDAP or RADIUS as aaa-server in ASA. **** > > When you create a user in Windows AD the user should belong to a certain > OU. The Default OU is Users if I’m not mistaken. If you run a dsquery > against a user, e.g. test user then the query should return all user > attributes.**** > > For example, I have a user named “ASA” in Users OU. The query will return > the following (watch that Users is CN, not OU, go figure with this > Microsoft why they did it this way).**** > > ** ** > > C:\>dsquery user -samid ASA**** > > "CN=ASA,CN=Users,DC=com2see,DC=com"**** > > ** ** > > If you move the ASA user from Users OU to a custom OU, e.g. Staff then > the query will return the OU part:**** > > ** ** > > C:\>dsquery user -samid ASA**** > > "CN=ASA,OU=Staff,DC=com2see,DC=com"**** > > ** ** > > So, if any user makes a connection to ASA, let’s say via VPN and you want > to use a so-called class 25 IETF RADIUS attribute and use LDAP attribute > map to map this user to a particular ASA group-policy then you always have > to watch for return from the AD. This return/reply will always list the > user membership in AD. You’ll always see at least > “CN=Users,DC=domain,DC=com” part**** > > ** ** > > Run “debug ldap” on the ASA and watch the reply from AD. This should > match with the output of “dsquery” run in the AD. Then your LDAP attribute > map on the ASA should look like this:**** > > ** ** > > ldap attribute-map LDAP-MAP**** > > map-name memberOf IETF-Radius-Class**** > > map-value memberOf "CN=Users,DC=domain,DC=com” GROUP-POLICY-NAME**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* 29 March 2012 09:26 > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Mapping ldap user or Active directory > user to ACS Group**** > > ** ** > > Hi all > > By default, if we create an user in Windows, they are part of "domain > users" group. When we use ldap or active directory for authenticating > unknown users, we have option in ACS to map the users to ACS local group. > > The issue that I am facing is that I am not able to map users that are > part of "domain users" to any group. The reason is that Windows doesn't > send attribute "member-of = domain users" for users that are part of > "domain users" and always falls into default group. > > Any comments? > > > With regards > Kings**** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
