I am configuring LDAP attribute mapping in my ASA which will authorize depending on the attributes and I have two users.
yohgonza which should authorize properly after the LDAP attribute mapping matches
AndrewS which should not authorize LDAP attribute mapping does not match his attributes.
However AndrewS is currently “bypassing” the LDAP attribute mapping and she’s connecting as if she matched the LDAP which she shouldn’t.
tunnel-group DoDIL5-NMAdmin general-attributes
address-pool DoDIL5-NMAdmin
authorization-server-group AdminVPN
default-group-policy VPNDeny
authorization-required
username-from-certificate UPN
ldap attribute-map AdminVPN_AD_MAP
map-name memberOf Group-Policy
map-value memberOf CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco DoDIL5NMAdmin
aaa-server AdminVPN protocol ldap
aaa-server AdminVPN (management) host 172.16.64.5
timeout 60
ldap-base-dn DC=il5,DC=dod,DC=cisco
ldap-group-base-dn CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn il5\bnd_vpn
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map AdminVPN_AD_MAP
No access
group-policy VPNDeny internal
group-policy VPNDeny attributes
vpn-simultaneous-logins 0
exit
group-policy DoDIL5NMAdmin internal
group-policy DoDIL5NMAdmin attributes
banner value dodil5-vpncluster-1::DoD IL5 NMADMIN profile
dns-server value 172.16.64.5 172.16.65.5
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 10
vpn-idle-timeout alert-interval 5
vpn-session-timeout 720
vpn-session-timeout alert-interval 5
vpn-tunnel-protocol ikev2 l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock value DoDIL5-NMAdmin
pfs enable
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value il5.dod.cisco
split-dns none
gateway-fqdn value il5.dod.cisco
address-pools value DoDIL5-NMAdmin
webvpn
anyconnect mtu 1406
anyconnect modules value dart,nvm,umbrella,iseposture
This is the debug for yohgonza:
[-2147483568] Session Start
[-2147483568] New request Session, context 0x00007f88905113a8, reqType = Other
[-2147483568] Fiber started
[-2147483568] Creating LDAP context with uri=ldaps://172.16.64.5:636
[-2147483568] Connect to LDAP server: ldaps://172.16.64.5:636, status = Successful
[-2147483568] defaultNamingContext: value = DC=il5,DC=dod,DC=cisco
[-2147483568] supportedSASLMechanisms: value = GSSAPI
[-2147483568] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483568] supportedSASLMechanisms: value = EXTERNAL
[-2147483568] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483568] supportedLDAPVersion: value = 3
[-2147483568] supportedLDAPVersion: value = 2
[-2147483568] Binding as il5\bnd_vpn
[-2147483568] Performing Simple authentication for il5\bnd_vpn to 172.16.64.5
[-2147483568] LDAP Search:
Base DN = [DC=il5,DC=dod,DC=cisco]
Filter = [cn=yohgonza]
Scope = [SUBTREE]
[-2147483568] User DN = [CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco]
[-2147483568] Talking to Active Directory server 172.16.64.5
[-2147483568] Reading password policy for yohgonza, dn:CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483568] Read bad password count 0
[-2147483568] LDAP Search:
Base DN = [DC=il5,DC=dod,DC=cisco]
Filter = [cn=yohgonza]
Scope = [SUBTREE]
[-2147483568] Retrieved User Attributes:
[-2147483568] objectClass: value = top
[-2147483568] objectClass: value = person
[-2147483568] objectClass: value = organizationalPerson
[-2147483568] objectClass: value = user
[-2147483568] cn: value = yohgonza
[-2147483568] sn: value = Gonzalez
[-2147483568] givenName: value = Yohan
[-2147483568] distinguishedName: value = CN=yohgonza,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483568] instanceType: value = 4
[-2147483568] whenCreated: value = 20250213203700.0Z
[-2147483568] whenChanged: value = 20250220170157.0Z
[-2147483568] displayName: value = Yohan Gonzalez
[-2147483568] uSNCreated: value = 1673424
[-2147483568] memberOf: value = CN=op_vpn_admin,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483568] mapped to Group-Policy: value = DoDIL5NMAdmin
[-2147483568] mapped to LDAP-Class: value = DoDIL5NMAdmin
[-2147483568] uSNChanged: value = 1784810
[-2147483568] name: value = yohgonza
[-2147483568] objectGUID: value = i..#^.,J......uv
[-2147483568] userAccountControl: value = 512
[-2147483568] badPwdCount: value = 0
[-2147483568] codePage: value = 0
[-2147483568] countryCode: value = 0
[-2147483568] badPasswordTime: value = 0
[-2147483568] lastLogoff: value = 0
[-2147483568] lastLogon: value = 0
[-2147483568] pwdLastSet: value = 133839526203649139
[-2147483568] primaryGroupID: value = 513
[-2147483568] objectSid: value = ............]+..Zy..V.._....
[-2147483568] accountExpires: value = 9223372036854775807
[-2147483568] logonCount: value = 0
[-2147483568] sAMAccountName: value = yohgonza
[-2147483568] sAMAccountType: value = 805306368
[-2147483568] userPrincipalName: value = yohgonza@il5.dod.cisco
[-2147483568] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=il5,DC=dod,DC=cisco
[-2147483568] dSCorePropagationData: value = 16010101000000.0Z
[-2147483568] lastLogonTimestamp: value = 133845445179194785
[-2147483568] Fiber exit Tx=520 bytes Rx=4427 bytes, status=1
[-2147483568] Session End
INFO: Authorization Successful
This is AndrewS debug ldap output:
[-2147483567] Session Start
[-2147483567] New request Session, context 0x00007f88905113a8, reqType = Other
[-2147483567] Fiber started
[-2147483567] Creating LDAP context with uri=ldaps://172.16.64.5:636
[-2147483567] Connect to LDAP server: ldaps://172.16.64.5:636, status = Successful
[-2147483567] supportedLDAPVersion: value = 3
[-2147483567] supportedLDAPVersion: value = 2
[-2147483567] Binding as il5\bnd_vpn
[-2147483567] Performing Simple authentication for il5\bnd_vpn to 172.16.64.5
[-2147483567] LDAP Search:
Base DN = [DC=il5,DC=dod,DC=cisco]
Filter = [cn=AndrewS]
Scope = [SUBTREE]
[-2147483567] User DN = [CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco]
[-2147483567] Talking to Active Directory server 172.16.64.5
[-2147483567] Reading password policy for AndrewS, dn:CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483567] Read bad password count 1
[-2147483567] LDAP Search:
Base DN = [DC=il5,DC=dod,DC=cisco]
Filter = [cn=AndrewS]
Scope = [SUBTREE]
[-2147483567] Retrieved User Attributes:
[-2147483567] objectClass: value = top
[-2147483567] objectClass: value = person
[-2147483567] objectClass: value = organizationalPerson
[-2147483567] objectClass: value = user
[-2147483567] cn: value = AndrewS
[-2147483567] sn: value = Singley
[-2147483567] givenName: value = AndrewS
[-2147483567] distinguishedName: value = CN=AndrewS,OU=usr,OU=accounts,DC=il5,DC=dod,DC=cisco
[-2147483567] instanceType: value = 4
[-2147483567] whenCreated: value = 20241121215701.0Z
[-2147483567] whenChanged: value = 20250217143050.0Z
[-2147483567] displayName: value = AndrewS
[-2147483567] uSNCreated: value = 384711
[-2147483567] memberOf: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_vpn_user,OU=svg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_aadc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_cases,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_sailpoint,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_secrets,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_burp,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_dsm,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_aqua,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_sc,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_nessus,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_cert_auth,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_compliance,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_servicenow,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_siem,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_devops,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_remote_access_admin,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] memberOf: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to Group-Policy: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] mapped to LDAP-Class: value = CN=op_hlg_identity,OU=hlg,OU=groups,DC=il5,DC=dod,DC=cisco
[-2147483567] uSNChanged: value = 1732990
[-2147483567] name: value = AndrewS
[-2147483567] objectGUID: value = .....5.M...A..j%
[-2147483567] userAccountControl: value = 512
[-2147483567] badPwdCount: value = 1
[-2147483567] codePage: value = 0
[-2147483567] countryCode: value = 0
[-2147483567] badPasswordTime: value = 133783143029152612
[-2147483567] lastLogoff: value = 0
[-2147483567] lastLogon: value = 0
[-2147483567] pwdLastSet: value = 133842762268063335
[-2147483567] primaryGroupID: value = 513
[-2147483567] objectSid: value = ............]+..Zy..V.._....
[-2147483567] accountExpires: value = 9223372036854775807
[-2147483567] logonCount: value = 0
[-2147483567] sAMAccountName: value = AndrewS
[-2147483567] sAMAccountType: value = 805306368
[-2147483567] userPrincipalName: value = AndrewS@il5.dod.cisco
[-2147483567] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=il5,DC=dod,DC=cisco
[-2147483567] dSCorePropagationData: value = 20250210155110.0Z
[-2147483567] dSCorePropagationData: value = 20250206223049.0Z
[-2147483567] dSCorePropagationData: value = 16010101000001.0Z
[-2147483567] lastLogonTimestamp: value = 133842762508792775
[-2147483567] Fiber exit Tx=520 bytes Rx=6391 bytes, status=1
[-2147483567] Session End
What might I be doing wrong?