How to configure Cisco ASA 5500 for Radius to LDAP Mapping in the VIP Enterprise Gateway
search cancel

How to configure Cisco ASA 5500 for Radius to LDAP Mapping in the VIP Enterprise Gateway


Article ID: 164538


Updated On:


VIP Service


Scenario: Integrate Cisco ASA 5500 VPN for second-factor authentication when users are distributed amongst three different groups with a different policy for each group. 

attribute name: Group-Policy ( Cisco attribute vendor-specific )
attribute number: 25
attribute type: String
Sets the group policy for the remote access VPN session. For version 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:
• <group policy name>
• OU=<group policy name>
• OU=<group policy name>


  • Log into the EG console, then click the Validation tab.
  • Select the checkbox to enable Click here to set up RADIUS to LDAP mapping
  • Locate the mapping section and note the two options: User Query and Secondary Query. Determine the attribute (string or integer) your VPN expects. 
  • Locate the RADIUS Mapping Attribute drop-down and select type String or Integer.
  • Select the LDAP Mapping Attribute. For example, attribute “Department” could be mapped as type String to the RADIUS Mapping Attribute. 

If required, a “Secondary Query” can be added. If this is selected, two queries will be done. For User Filter, the Search Attribute value could be used as the Second Filter, and the LDAP Mapping Attribute value will be mapped a second time to the RADIUS Mapping Attribute value selected previously in the User Query. This may require testing different scenarios and using Test to verify the desired results. 

To determine the group(s) a user belongs to, you can verify first through the GUI:

  • In Windows Server Manager, navigate to Active Directory Users and Computers.
  • Click on Users (or the folder that contains the user account).
  • Right-click on the user account, then click Properties.
  • Select the Member of tab.
  • Alternatively, open an elevated command prompt in the user's computer, then type gpresult /v. In the output, locate 'The user is a part of the following security groups'.


The following is a secondary query example:

U1 is part of a Group1. Group1 has an attribute GroupTest with value GT1
U2 is part of a Group2. Group2 has an attribute GroupTest with value GT2

In the RADIUS to LDAP mapping settings, 
Select Class, and attribute type String.
Search Attribute with value DistinguishedName
Secondary Base DN : cn=users,dc=domain,dc=com (customers domain base DN)
Secondary Filter : (&(objectClass=group)(member=%s))
LDAP Mapping attribute: CN (or other desired attribute)

When U1 attempts to authenticate, the value GT1 is returned. When U2 attempts to authenticate, value GT2 is returned.

This example returns the group short name if the VPN requires this value:a different short group name:

Query Type : “Secondary Query”
Search Attribute: distinguishedName
Search Base DN: DC=example,DC=com  // or further subtree if it covers the desired users and groups
Secondary Filter: (&(&(member=%s)(objectclass=group))(cn=ACCESS-*))
LDAP Mapping Attribute: cn

The Cisco Configuration policy must class attribute values recognized by the VIP Enterprise Gateway.