LDAP Mapping Authorization

I am configuring LDAP attribute mapping in my ASA which will authorize depending on the attributes and I have two users.
yohgonza which should authorize properly after the LDAP attribute mapping matches
AndrewS which should not authorize LDAP attribute mapping does not match his attributes.
However AndrewS is currently “bypassing” the LDAP attribute mapping and she’s connecting as if she matched the LDAP which she shouldn’t.

tunnel-group DoDIL5-NMAdmin general-attributes
address-pool DoDIL5-NMAdmin
authorization-server-group AdminVPN
default-group-policy VPNDeny
authorization-required
username-from-certificate UPN

ldap attribute-map AdminVPN_AD_MAP
map-name  memberOf Group-Policy
map-value memberOf CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco DoDIL5NMAdmin


aaa-server AdminVPN protocol ldap
aaa-server AdminVPN (management) host 172.16.64.5
timeout 60
ldap-base-dn DC=il5,DC=dod,DC=cisco
ldap-group-base-dn CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn il5\bnd_vpn
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map AdminVPN_AD_MAP

No access 
group-policy VPNDeny internal
group-policy VPNDeny attributes
vpn-simultaneous-logins 0
exit

group-policy DoDIL5NMAdmin internal
group-policy DoDIL5NMAdmin attributes
banner value dodil5-vpncluster-1::DoD IL5 NMADMIN profile
dns-server value 172.16.64.5 172.16.65.5
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 10
vpn-idle-timeout alert-interval 5
vpn-session-timeout 720
vpn-session-timeout alert-interval 5
vpn-tunnel-protocol ikev2 l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock value DoDIL5-NMAdmin
pfs enable
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value il5.dod.cisco
split-dns none
gateway-fqdn value il5.dod.cisco
address-pools value DoDIL5-NMAdmin
webvpn
anyconnect mtu 1406
anyconnect modules value dart,nvm,umbrella,iseposture

This is the debug for yohgonza:

[-2147483568] Session Start
[-2147483568] New request Session, context 0x00007f88905113a8, reqType = Other
[-2147483568] Fiber started
[-2147483568] Creating LDAP context with uri=ldaps://172.16.64.5:636
[-2147483568] Connect to LDAP server: ldaps://172.16.64.5:636, status = Successful
[-2147483568] defaultNamingContext: value = DC=il5,DC=dod,DC=cisco
[-2147483568] supportedSASLMechanisms: value = GSSAPI
[-2147483568] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483568] supportedSASLMechanisms: value = EXTERNAL
[-2147483568] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483568] supportedLDAPVersion: value = 3
[-2147483568] supportedLDAPVersion: value = 2
[-2147483568] Binding as il5\bnd_vpn
[-2147483568] Performing Simple authentication for il5\bnd_vpn to 172.16.64.5
[-2147483568] LDAP Search:
        Base DN = [DC=il5,DC=dod,DC=cisco]
        Filter  = [cn=yohgonza]
        Scope   = [SUBTREE]
[-2147483568] User DN = [CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco]
[-2147483568] Talking to Active Directory server 172.16.64.5
[-2147483568] Reading password policy for yohgonza, dn:CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483568] Read bad password count 0
[-2147483568] LDAP Search:
        Base DN = [DC=il5,DC=dod,DC=cisco]
        Filter  = [cn=yohgonza]
        Scope   = [SUBTREE]
[-2147483568] Retrieved User Attributes:
[-2147483568]   objectClass: value = top
[-2147483568]   objectClass: value = person
[-2147483568]   objectClass: value = organizationalPerson
[-2147483568]   objectClass: value = user
[-2147483568]   cn: value = yohgonza
[-2147483568]   sn: value = Gonzalez
[-2147483568]   givenName: value = Yohan
[-2147483568]   distinguishedName: value = CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483568]   instanceType: value = 4
[-2147483568]   whenCreated: value = 20250213203700.0Z
[-2147483568]   whenChanged: value = 20250220170157.0Z
[-2147483568]   displayName: value = Yohan Gonzalez
[-2147483568]   uSNCreated: value = 1673424
[-2147483568]   memberOf: value = CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483568]           mapped to Group-Policy: value = DoDIL5NMAdmin
[-2147483568]           mapped to LDAP-Class: value = DoDIL5NMAdmin
[-2147483568]   uSNChanged: value = 1784810
[-2147483568]   name: value = yohgonza
[-2147483568]   objectGUID: value = i..#^.,J......uv
[-2147483568]   userAccountControl: value = 512
[-2147483568]   badPwdCount: value = 0
[-2147483568]   codePage: value = 0
[-2147483568]   countryCode: value = 0
[-2147483568]   badPasswordTime: value = 0
[-2147483568]   lastLogoff: value = 0
[-2147483568]   lastLogon: value = 0
[-2147483568]   pwdLastSet: value = 133839526203649139
[-2147483568]   primaryGroupID: value = 513
[-2147483568]   objectSid: value = ............]+..Zy..V.._....
[-2147483568]   accountExpires: value = 9223372036854775807
[-2147483568]   logonCount: value = 0
[-2147483568]   sAMAccountName: value = yohgonza
[-2147483568]   sAMAccountType: value = 805306368
[-2147483568]   userPrincipalName: value = yohgonza@il5.dod.cisco
[-2147483568]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=il5,DC=dod,DC=cisco
[-2147483568]   dSCorePropagationData: value = 16010101000000.0Z
[-2147483568]   lastLogonTimestamp: value = 133845445179194785
[-2147483568] Fiber exit Tx=520 bytes Rx=4427 bytes, status=1
[-2147483568] Session End
INFO: Authorization Successful

This is AndrewS debug ldap output:

[-2147483567] Session Start
[-2147483567] New request Session, context 0x00007f88905113a8, reqType = Other
[-2147483567] Fiber started
[-2147483567] Creating LDAP context with uri=ldaps://172.16.64.5:636
[-2147483567] Connect to LDAP server: ldaps://172.16.64.5:636, status = Successful
[-2147483567] supportedLDAPVersion: value = 3
[-2147483567] supportedLDAPVersion: value = 2
[-2147483567] Binding as il5\bnd_vpn
[-2147483567] Performing Simple authentication for il5\bnd_vpn to 172.16.64.5
[-2147483567] LDAP Search:
        Base DN = [DC=il5,DC=dod,DC=cisco]
        Filter  = [cn=AndrewS]
        Scope   = [SUBTREE]
[-2147483567] User DN = [CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco]
[-2147483567] Talking to Active Directory server 172.16.64.5
[-2147483567] Reading password policy for AndrewS, dn:CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483567] Read bad password count 1
[-2147483567] LDAP Search:
        Base DN = [DC=il5,DC=dod,DC=cisco]
        Filter  = [cn=AndrewS]
        Scope   = [SUBTREE]
[-2147483567] Retrieved User Attributes:
[-2147483567]   objectClass: value = top
[-2147483567]   objectClass: value = person
[-2147483567]   objectClass: value = organizationalPerson
[-2147483567]   objectClass: value = user
[-2147483567]   cn: value = AndrewS
[-2147483567]   sn: value = Singley
[-2147483567]   givenName: value = AndrewS
[-2147483567]   distinguishedName: value = CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483567]   instanceType: value = 4
[-2147483567]   whenCreated: value = 20241121215701.0Z
[-2147483567]   whenChanged: value = 20250217143050.0Z
[-2147483567]   displayName: value = AndrewS
[-2147483567]   uSNCreated: value = 384711
[-2147483567]   memberOf: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   memberOf: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to Group-Policy: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]           mapped to LDAP-Class: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567]   uSNChanged: value = 1732990
[-2147483567]   name: value = AndrewS
[-2147483567]   objectGUID: value = .....5.M...A..j%
[-2147483567]   userAccountControl: value = 512
[-2147483567]   badPwdCount: value = 1
[-2147483567]   codePage: value = 0
[-2147483567]   countryCode: value = 0
[-2147483567]   badPasswordTime: value = 133783143029152612
[-2147483567]   lastLogoff: value = 0
[-2147483567]   lastLogon: value = 0
[-2147483567]   pwdLastSet: value = 133842762268063335
[-2147483567]   primaryGroupID: value = 513
[-2147483567]   objectSid: value = ............]+..Zy..V.._....
[-2147483567]   accountExpires: value = 9223372036854775807
[-2147483567]   logonCount: value = 0
[-2147483567]   sAMAccountName: value = AndrewS
[-2147483567]   sAMAccountType: value = 805306368
[-2147483567]   userPrincipalName: value = AndrewS@il5.dod.cisco
[-2147483567]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=il5,DC=dod,DC=cisco
[-2147483567]   dSCorePropagationData: value = 20250210155110.0Z
[-2147483567]   dSCorePropagationData: value = 20250206223049.0Z
[-2147483567]   dSCorePropagationData: value = 16010101000001.0Z
[-2147483567]   lastLogonTimestamp: value = 133842762508792775
[-2147483567] Fiber exit Tx=520 bytes Rx=6391 bytes, status=1
[-2147483567] Session End

What might I be doing wrong?

Hello Johan

I am not as familiar with LDAP, and it operates in conjunction with ASA, but I will do my best to give you whatever guidelines I can.

Based on what you shared, it seems that AndrewS shouldn’t be authorized but is granted VPN access. Despite not being in CN=op_vpn_admin, his LDAP groups are mapped in a way that inadvertently allows authorization.

It seems that there is an incorrect ldap-group-base-dn. Your aaa-server configuration specifies ldap-group-base-dn as the specific group CN=op_vpn_admin..., which restricts LDAP group searches to this DN. Instead, this should be set to the parent container where all relevant groups reside (e.g., OU=groups,DC=il5,DC=dod,DC=cisco). This misconfiguration causes the ASA to ignore all other group memberships outside op_vpn_admin, bypassing proper authorization checks.

The VPNDeny group-policy has vpn-simultaneous-logins 0, which should block access. However, authorization is succeeding for AndrewS because the ASA is interpreting the LDAP response as valid (despite no mapped group-policy existing), allowing the tunnel-group’s default-group-policy (which might not enforce strict denial).

I hope that this analysis will give you a bit more insight into your configuration to see if it can be corrected. Let us know how you get along!

I hope this has been helpful!

Laz