Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

KB ID 0001152 Dtd 03/02/16


When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change.

The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Well guess what – It didn’t work! S0 I ended up using a blend of LDAP and Cisco Dynamic Access Policy (DAP) to do the same, (don’t panic, it’ s actually easier than writing an LDAP attribute map).


Firstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine.

Cisco ASA Service Account

Then create a user group that you want to grant AnyConnect Access to;

AnyConnect Remote VPN Group

And, then create a test user and put that user in your domain group.

Group Membership AnyConnect

Configure the ASA for LDAP

Create an AAA LDAP Server Group > Add a Server > Put in the Config for that server like so;


Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-LDAP-SERVER protocol ldap 
Petes-ASA(config-aaa-server-group)# aaa-server PNL-LDAP-SERVER (inside) host
Petes-ASA(config-aaa-server-host)# ldap-base-dn dc=pnl,dc=com     
Petes-ASA(config-aaa-server-host)# ldap-scope subtree 
Petes-ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
Petes-ASA(config-aaa-server-host)# ldap-login-password P@assword123
Petes-ASA(config-aaa-server-host)# ldap-login-dn cn=asa,OU=ServiceAccounts,OU=PNL,dc=pnl,dc=com
Petes-ASA(config-aaa-server-host)# server-type auto-detect 
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)# exit

Now perform a test, and make sure it says “successful’

Petes-ASA# test aaa-server authentication PNL-LDAP-SERVER host username 
administrator password P@ssword123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
INFO: Authentication Successful

Add LDAP Authentication For AnyConnect

I’m assuming you already have AnyConnect Setup? If not that’s fine simply follow the article below, which will set it up for LOCAL authentication, set it up and get it working then come back here.

Cisco ASA 5500 AnyConnect Setup From Command Line

To change authentication from LOCAL you make a change in the Tunnel-Group for you remote VPN connection, if you don’t know what the name of your tunnel group is ‘show run tun’ will list them. You add the authentication-server-group to the general-attributes section of the config, like so;


Petes-ASA(config)# tunnel-group PNL-TG-ANYCONNECT-ACCESS general-attributes
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-LDAP-SERVER LOCAL
Petes-ASA(config-tunnel-general)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 30899474 8c9cd7c6 495be299 fd911bca 

19681 bytes copied in 3.340 secs (6560 bytes/sec)

Note: At this point ALL DOMAIN USERS can successfully authenticate, to lock it down to one domain security group, apply a Dynamic Access Policy (these can only be done in the ASDM).

Cisco ASDM Configure Dynamic Access Policies

Connect to the ASDM > Configuration > Remote Access VPN > Dynamic Access Policies > Add.

ASA Dynamic Access Policy

Add an LDAP Condition > IF NOT a member (or not equal to member) > Insert domain security group. Then set the condition to ‘Terminate’.

AnyConnect Based on AD Group

Then test.

Filter AnyConnect Group Membership

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Hi,

    Thanks for the article, but I have one question, from the configuration I do not see how actually asa checks that authenticating user is a member of VPNUser group.. Any ideas?

    Kind regards,

    Post a Reply
    • With LDAP alone, It wont work, you need the DAP as well (Cisco might argue) but I’d ask them to show me a working LDAP only config before I would believe them 🙂


      Post a Reply
  2. Great 🙂

    I checked Cisco how to guides, it confused me 🙂

    Yours one: Simple and clear 🙂

    Thanks a lot!!!

    Post a Reply
  3. It works! I was trying to map ldap attribute 2 days until I foud this article! it took me 2 min 🙂

    Post a Reply
  4. Amazing article! The documentation and the threads in Cisco’s forum are so confusing. This article is spot on! Thank you.

    Post a Reply
  5. All I can say is thanks! Wasted two days on trying to get ASA LDAP Attribute Mapping working. DAP is the way to go. Followed PeteLongs steps and in 2 minutes we are up and running using AD Group authentication for VPN! I can see many other policies that we can now set as well. Thanks once again for your post!

    Post a Reply
    • No problem, thanks for the feedback.

      Post a Reply
  6. I wish Google had put your page at the top of the search results. Like everyone else, I have been struggling with LDAP Mapping, but your explanation is easy and makes perfect sense. Thanks for publishing this.

    Post a Reply
    • ThanQ – I wish I was also at the top 🙂

      Post a Reply
  7. I need multiple Group-Profile match and authenticate with different LDAP group. Any idea?


    Post a Reply
    • A Better solution is to use RADIUS then (depending on the group membership) pass the group policy back in the RADIUS reply.

      Post a Reply
      • How do I add this DAP to a specific group policy and not to others
        For instance, I only want this DAP to apply to a specific remote access vpn tunnel profile/group-policy
        I have multiple tunnel-profiles and group-policy
        Does this one DAP apply to one tunnel-profile/group policy both for client/clientless ssl vpns?

        Post a Reply
        • You can’t unfortunately they are global 🙁

          Post a Reply
  8. If I have two ISPs with different IP address can I use both of them to access remote vpn ?
    Or only one IP aadress can work.

    Post a Reply
    • Great Question! You can access AnyConnect via either public IP, you would need to have both IP addresses registered against the public domain name. And you would need to enable it on both interfaces, and have mirrored NAT rules. (unless you had (inside, any) and not (inside,outside) for example).


      Post a Reply
  9. I need to allow users to change their passwords at the VPN login screen. And to let them know their password is expiring in x days. They already log in using their domain account.

    Post a Reply
    • I’ve added the link to the bottom of the page.


      Post a Reply

Submit a Comment

Your e-mail address will not be published. Required fields are marked *