Mapping of LDAP attributes

Similar Questions

• Attribute mapping between ldap and ecm11g internal user profile user

  Hi all
  
  I use ucm11g, is there a way to map between ldap and ecm11g internal user profile user attributes? I tested with an attribute named homephone wls embeded LDAP, create the attribute homephone in ecm11g the user after login profile, I can't find the value in the ecm11g user profile.
  
  Best regards

  In earlier versions, there was LDAPProvider which was replaced by JpsUserProvider to 11g. This component allows you to do a bit in the interface, but there are a few more options which do not seem to be documented. For example, if you have a HomePhone field and enter 123456789 inside and then empty, by default, the JpsUserProvider component will not empty field the Complutense University of MADRID. You can change this by entering ClearMissingAttributes = true in the provider.hda file. Or if you want to use the credentials, you will need to change provider.hda with ProviderCredentialsMap = name_of_map (my source for the latter was the ECM blog at http://blogs.oracle.com/ecmarch/2011/03/).

  For more information on JpsUserProvider, look in the Administrator's Guide:

  When to add JPS provider: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c02_settings007.htm#CSMSP496

  Adding a JPS Provider: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10792/c02_settings007.htm#BEIIAHHI

  I hope this helps!

  Frank.

• LDAP attribute on user card match no group

  We currently have Anyconnect (client based) up and running on our ASA 5515 X 9.5 (1) running. I use AD LDAP for authentication and configuration of LDAP attribute maps and assigned to our LDAP on the ASA server config. Like many, we use these cards to allow ASA assign a group policy to a user based on the AD group membership. Basically I have one AD Group for regular of VPN users and a group for users Admin VPN advertising. It works pretty well, but there are cases where the user profile specific related to group policy 'Regular users of VPN' does not work for all users of this ad group. I was trying to find a way to adjust the settings for certain users based on the user name. Say the user needs setting up VPN from an RDP session, but I'm not all users have that so I would attribute a group different local\Configuration user profile based on the AD username that would allow the VPN from a RDP session. Still, the rest of the users would be blocked to the RDP VPN. Here is my map to attribute LDAP database:

  map-attribute LDAP
  name of the memberOf Group Policy map
  map-value memberOf "LDAP path."
  msRADIUSFramedIPAddress IETF-RADIUS-Framed-IP-Address card name

  Now I could do here with the above configuration, I think it's to create a new group policy on the SAA for a certain group of users and then create a new value of the card with a new LDAP path that would point to a new group in AD, say "RDP VPN users". I then add the users I want Anyconnect group policies\user specific profiles for this particular ad group. But the question is that I would prefer not to have to create as many groups in AD.

  I want to know is if there is a way to have a path of card value of LDAP attribute to a certain username AD somehow. As if the LDAP path was something like "CN =, OU = users, DC =, DC ='.»» This way I could affect a group policy to the majority of users in the group "Regular users of VPN" AD, but then assign a different policy to some users who require slightly different settings. That would allow me to match on a certain user, not one ad group? The Group cisco-attribute-name strategy addresses a user as if it were an ad group? I guess not, but not sure. I looked through the list of names of attributes-cisco - but didn't see anything that looked like it worked for AD user names.

  Also, if anyone knows a better way please let me know I am open to suggestions. I hope that makes sense. Thanks in advance to the community for help.

  I think that you need a completely different approach - DAP (dynamic access policies).

  DAP allows a lot of motion of things, and you can create additive strategies.  So if you are a member of the group 'A' you add to this URL.  If you are also a member of the group 'B' you add this ACL.  If it can also do other things, like checking the registry keys, etc.

  The Guide deployment of DAP.

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  I pretty much don't use DAP now (and no attribute is mapped) due to the significant increase in flexibility.

• ACS5.1 - AD and mapping of RADIUS attributes

  Hello

  I am trying to dynamically assign IP addresses for users of VPN of AD (without IAS service). Is it possible?

  I know that there is a restriction that "Dial-in users are not taken in charge by announcement in ACS (note in 'acsuserguide51') but I'm not exacly sure, which may or may not do with it."

  "Authorization profiles" RADIUS attributes tab I try manually add a specific attribute (box-IP-Address).

  I have no problem (everything works fine) with the award of a static in a way as address below:

  

  AD is already integrated with ACS and I managed to download the directory attributes particular msRADIUSFramedIPAddress

  

  When I change the ' attribute value 'static to the dynamic type I see to select AD (but "Select" which should list all of the available attributes is empty).

  

  Is it possible in this way or my concept wrong?

  I know I can do it directly (ASA <->AD attribute mapping), but I want to ACS to make

  best regards and thx for all help

  Przemek

  Your baisc approach is

  fix. However, when you dynamically assign the IP address of type RADIUS attributes in an authorization profile you get only presented for the selection of attributes in the store identities (in this case AD) which are also a type IP address. In your example, it is of the type "integer64.

• LDAP attribute value types

  There is a class javax.naming.Attribute
  
  And I can put some values in there with javax.naming.Attribute.add (Object object);
  
  I want to ask
  
  These objects is perhaps only byte [] or String?
  
  If so it will be OK for me because then the choice standardized into two types (String and byte []) in a place I have to control the types of objects.
  
  
  I arrived at this point in the code of the method maptocontext of the Spring LDAP library
  
  
  Private Sub (input object, DirContextOperations context) {} mapToContext
  . MetaData metaData ObjectMetaData = getEntityData (entry.getClass ());
  
  Classes of objects are defined from the metadata obtained from the annotation @Entity
  int numOcs is metaData.getObjectClasses () .size ();.
  CaseIgnoreString [] metaDataObjectClasses is metaData.getObjectClasses () .toArray (new CaseIgnoreString [numOcs]);.
  
  String [] stringOcs = new String [numOcs];
  for (int ocIndex = 0; ocIndex < numOcs; ocIndex ++) {}
  stringOcs [ocIndex] is metaDataObjectClasses [ocIndex] m:System.NET.SocketAddress.ToString ();.
  }
  context.setAttributeValues (OBJECT_CLASS_ATTRIBUTE, stringOcs);
  
  Loop in each fields of the object to write to LDAP
  for (field: metadata) {}
  Retrieve the metadata for the current field
  AttributeMetaData attributeInfo = metaData.getAttribute (field);
  We have dealt with the object class field on and the DN is defined by the call to write the LDAP object
  If (! attributeInfo.isId () & &!) () {attributeInfo.isObjectClass (()))}
  try {}
  If it is a 'binary' object the JNDI expects a byte [] otherwise a string
  Class <>? targetClass = (attributeInfo.isBinary ())? Byte [] .class: String.class;
  Multiple values?
  If (! attributeInfo.isList ()) {}
  Only one value - get the value of the field
  Object fieldValue = (entry) field.get;
  Ignore null field values
  If (fieldValue! = null) {}
  Convert the field value to the required type and write this in the JNDI context
  context.setAttributeValue (attributeInfo.getName () m:System.NET.SocketAddress.ToString (), converterManager.convert (fieldValue,)
  attributeInfo.getSyntax (), targetClass));
  }
  } else {/ / multi-value}
  We must put in place a list of values
  < String > attributeValues list = new ArrayList < String > ();
  The list of values
  Collection <>? fieldValues can only be = field.get (entry) (Collection <>?);
  Ignore null lists
  If (fieldValues can only be! = null) {}
  for (last object o: fieldValues can only be) {}
  Ignore null values
  If (o! = null) {}
  attributeValues.add ((String) converterManager.convert (o, attributeInfo.getSyntax (),))
  targetClass));
  }
  }
  context.setAttributeValues (attributeInfo.getName () m:System.NET.SocketAddress.ToString (), attributeValues.toArray ());
  }
  }
  } catch (IllegalAccessException e) {}
  throw new InvalidEntryException (String.format ("can't set attribute %1$ s", attributeInfo.getName ()),)
  (e);
  }
  }
  }
  }

  These objects is perhaps only byte [] or String?

  Fix.

• The research of LDAP attributes after authentication

  All,
  Secure thanks to Tyler Muth on LDAP blog, I was able to get the authentication works with our SunOne LDAP using a custom authentication scheme. Apex does not natively support SSL authentication where you must use a binding secure LDAP with a domain name of service (which has its own userID and password) before you pass the user name, password of the real user.
  
  Now I'm recovering attributes on this authenticated user - like attributes that are in the LDAP directory, Department, title, etc. Does anyone have any suggestions - code examples would be great? I looked at the example in Pro Application Express book but what confuses me, is how to pass the user name that you have authentication to a function call to the 'dbms_ldap.search '. Authentication closes the LDAP session, once the user is authenticated. So now I'm in the application with this "APP_USER. I believe that I now have to do the following steps, but do not know how to accomplish:
  
  1.), I need to re - open an LDAP session (I guess I still need to re - link with LDAP using my service Dn and the password as the Auth service custom that was done right).
  2.) I need to go to the LDAP search the current ' APP_USER and start to recover the other attributes - our Administrator said LDAP I can search on this "UID" as it is in our LDAP store. "
  3.) there is a code on a custom function of LDAPQuery (built on dbms_ldap.search) in 'Pro Oracle Application Express', but it sends the data to a table and then made a request on the table to retrieve attributes.
  
  The code in 'Pro App Express' does not require that initial secure bind DN Service (service username, password) (attributed to me by our LDAP admin). Looks like it is assuming that the binding user is one whose attributes are sent to the function call LDAPQuery (user and password settings), but this is not the case in my situation. I want to interview based on the currently logged in 'APP_USER' and retrieve data from attribute in the elements of form input on the page that the user has just been authenticated in.
  
  Any help would be appreciated - especially if you have already done this and have a code example!
  
  Thank you
  Pat

  Hello

  try to change this line

  l_attrs: = 'ndtitle, title, nddepartment ';

  TO

  l_attrs (1): = "ndtitle";
  l_attr (2): = 'title';
  l_attr (3): = nddepartment';

  Kind regards
  Shijesh

• mapping of LDAP

  Hello
  I have to integrate Complutense University of Madrid with a ldap user repository. As a general question, each user must be mapped or can I "omit" one / some (I have a user that I want to keep all the features but I don't want to have access to the portal, so I'm thinknig of mapping simply do not hollow ldap). Is this possible or all Content Server users must have a sign with in the ldap repository, otherwise, he wants to work?
  We are talnking on a 10gR 3 content on an AIX5 server. On the repository of the user, I know a lot of things right now, but it was just a general question.
  
  Kind regards
  Maria

  HI Maria,

  As a general rule, you don't really need to map users to the University Complutense of MADRID to LDAP users. All you have to do is map (accounts and roles if you use the option accounts.)
  You must create users at all at the Complutense University of MADRID. You can configure the content server to authenticate a user directly from LDAP.
  In addition, a good thing is that AAU will allow each LDAP user who is trying to connect to the content server. Only the LDAP users that meet certain criteria, (i.e. LDAP roles that correspond to the roles of the AAU are affected) will be authorized successfully.

  All you have to do is to configure an LDAP provider. (You can even have more than one LDAP provider, so you can connect to more than one LDAP source)

  Kind regards
  Elvis

  Published by: Spada E on April 14, 2009 02:24

• Assign the static IP address by ISE, ASA VPN clients

  We will integrate the remote access ASA VPN service with a new 1.2 ISE.

  Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

  This means that the same VPN user will always get the same IP address. Thank you.

  Daniel,

  You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

  However if I may make a suggestion:

  Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

  In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

  M.

• Cisco ASA - Anyconnect VPN - DAP to restrict access

  Hello

  I havn't any way proven or description if this is possible with the asa. I'm trying to find a solution were based on the users of Active Directory groups are only in the use of VPN.

  I wannt all "AllVPNUsers" users are able to connect and can only access a server in-house.

  If a user is in the group "AllDevelopers-VPN" they should be able to access all the servers in a specified subnet

  If a user is in the "AllDevOps" group they should not have any restrictions.

  is it possible with one asa 5512-X?

  Best regards

  Daniel

  Hi Daniel,.

  You can use mapping of LDAP attributes where one ad group can be mapped to a group policy which will give access to specific networks.
  Here is a document that you can reference. Please do not hesitate to share if there is no problem.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Recommendations for VPN authentication

  So, now that Cisco has helped me get the vpn works on my ASA 5525-X I need to use an active administrator for the authentication/grouping of customers for several profiles in anyconnect.

  My question is what is the simpler and more effective way of setting this up. I have a R2 2012 NAP server that is used to authenticate the AD users for access to the switches. But should I use that for ASA as well or can I use AD directly to the ASA?

  A reminder to those who have not seen my posts, I'm very new to the ASA and the need to get this up and running quickly... Any help/suggestions would be greatly appreciated.

  Thank you

  Stacey

  Hi Stacey,

  You can use the Windows Server direct to the ASA, it uses the LDAP protocol. You will need to implement the ASA like this:

  AAA-Server LDAP-SRV protocol ldap
  AAA-Server LDAP-SRV (inside) host XXXXXXXXX--> IP address of the server
  LDAP-base-dn DC = vpn, DC = also, DC = com--> where users are stored
  LDAP-connection-dn CN = ASA-LDAP-user, CN = Users, DC = vpn, DC = also, DC = com--> the entire AD tree.
  LDAP-login-password *--> the administrator password
  LDAP-naming-attribute sAMAccountName
  LDAP-scope subtree
  microsoft server type

  Now, you need to get the login DN: and the base dn. Now on the ad, you need to create several user groups and divide the users for different levels of authorization as: salespeople, employees...

  You can test the authentication by using this command:

  test the aaa server for authentication LDAP_SRV host XXXXXX username: password XXXXX: XXXX

  and then see if it fails, then you can solve the problem

  You can then configure the mapping of LDAP attributes to MAP a group of users on the server of advertising to a group policy on the SAA.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  I would like to know how it works!

  Please don't forget to rate and score as correct the helpful post!

  David Castro,

  Kind regards

• (Browser) clientless SSL VPN access is not allowed.

  I'm trying to set up an additional Anyconnect vpn profile.  I have one that is working properly but this news will not.  When I try to log in to download the client or try to connect with a computer that already has the customer I can not.

  The client side receives this error: "access (Browser) Clientless SSL VPN is not allowed."

  On the ASA journal:

  4 May 10, 2010 11:42:17 722050 group user <> IP <10.12.x.x>Session is over: SVC is not enabled for the user
  4 May 10, 2010 11:42:17 group 113019 =, Username =, IP = 0.0.0.0, disconnected Session. Session type:, time: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: unknown

  He does reference the main our ipsec connection group name.  I think it's very strange.  Here's the part of my config that treats the ssl client.

  tunnel-group type SSL - RDP remote access only
  tunnel-group SSL-RDP-Only general attributes
  address pool SSL_VPN_Users
  authentication-server-group FUN-LDAP
  Group Policy - by default-SSL-RDP
  tunnel-group SSL-RDP-Only webvpn-attributes
  enable VPN_FUN group-alias
  allow group-url https://64.244.9.X/VPN_FUN

  internal SSL - RDP group strategy
  attributes of SSL - RDP group policy
  value of VPN-filter RDP_only
  VPN-tunnel-Protocol svc webvpn
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list RDPonlyVPN_splitTunnelAcl
  WebVPN
  list of URLS no
  SVC request no svc default
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389

  mask of local pool SSL_VPN_Users 10.12.20.1 - 10.12.20.100 IP 255.255.255.255

  Post edited by: kyle.southerland

  After reviewing the config, the difference between groups Anyconnect and SSL-RDP-Only is the AAA server.

  AnyConnect group uses the radius for authentication (RAS01) server, while the SSL-RDP-Only group uses an LDAP server for authentication (FUN-LDAP), and the configuration of the FUN-LDAP server, you configure the mapping of LDAP attributes, which is to map the group "An1meR0xs".

  To test, change authentication LDAP aaa RADIUS for the newly created group.

  Hope that helps.

• How to give different Anyconnect profiles for some users

  Hello

  I am very new to Anyconnect but managed to configure our ASA5510 with connection files 2, one with split tunneling is active and the other without.  How to configure the ASA/Anyconnect client so that most users see the connection with split tunneling profile disable but others the chance to see two connection profiles in the client?  Currently, all users the chance to see the two profiles in the client and I'm stuck at the moment to try to understand how I control what they have a chance to see the profiles of connection...  Users are authenticated on a Microsoft IAS server if what counts and the ASA is running V8.2 (1) and ASDM 6.2 (5) 53.  Thanks for any help.

  Kind regards

  Terry

  Microsoft IAS is a good piece of information. Thank you.

  So I assume you are using for Radius Authentication.

  You have 2 options:

  (1) configure the radius server IAS user mapping to a specific group by using attribute radius policy.

  Here is an example of configuration using Cisco ACS radius for your reference server:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

  (Sorry, can't find an example of configuration using the Microsoft IAS server, but the concept is the same)

  (2) as you run microsoft IAS, I assume you are using Active Directory? Assuming it's true, you can actually authenticate via the LDAP protocol and LDAP mapping to place the user in specific group policy.

  Here is the sample configuration for LDAP authentication:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

  and here is the example of mapping of LDAP attributes configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008089149d.shtml

  Hope a using the option.

• ASA and DAP group policy

  Hi all

  I intend to implement SSL VPN on ASA 8.2.1.

  For example, I create the DAP following 2 files to assign different access rights.

  Policy name: sales DAP

  ldap.memberOf = sales

  Action: continue

  Policy name: engineering DAP

  ldap.memberOf = genius

  Action: continue

  The next policy group are already configured on SAA.

  GP_sales

  GP_engineering

  If UserA, who is a member of the OU sales Active directory Access ASA, ASA know UserA must be associated by GP_sales?

  Thank you

  Hello

  You must configure the LDAP server in your ASA and LDAP attribute is mapped to the Cisco attribute. (LDAP memberOf is maps to GroupPolicy)

  Then you need to configure the mapping of LDAP attributes

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

• LDAP on SAA with the attribute-map

  Hi all

  I have problems to set up authentication of VPN clients on a LDAP server.  The main problem is when the ASA needs to decide a strategy group for users of the non-compliance.

  I use the LDAP attribute cards in the SAA to map the parameter memberOf attribute group Cisco-policy, can I associate the ad group that the user must belong to a VPN and rigth memberOf Group Policy access.  This method works correctly.

  But the problem is when the remote user is not in the correct group AD, I put a group by default-policy - do not have access to this type of users.  After that, all users (authorized and unauthorized) fall into the same default - group policy do not have VPN access.

  There are the ASA configuration:

  LDAP LDAP attribute-map
  name of the memberOf Group Policy map
  map-value memberOf "cn = ASA_VPN, ou = ASA_VPN, OU = my group, dc = xxx, dc is com" RemoteAccess

  AAA-Server LDAP protocol ldap
  AAA-Server LDAP (inside) host 10.0.0.3
  or base LDAP-dn = "My group", dc = xxx, dc is com
  LDAP-scope subtree
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn cn = users, ou = "My group", dc = xxx, dc = com
  microsoft server type
  LDAP-attribute-map LDAP

  internal group NOACCESS strategy
  NOACCESS group policy attributes
  VPN - concurrent connections 0

  internal RemoteAccess group strategy
  Group Policy attributes RemoteAccess
  value of server DNS 10.0.0.3
  Protocol-tunnel-VPN IPSec
  field default value xxx.com

  tunnel-group RemoteAccess type remote access
  attributes global-tunnel-group RemoteAccess
  address-pool
  LDAP authentication group-server
  NOACCESS by default-group-policy
  tunnel-group ipsec-attributes RemoteAccess
  pre-shared key *.

  As you can see, I followed all of the examples available on the web site to solve the problem, but I can't get a good result.

  Does anyone have a solution for this problem?

  Kind regards

  Guzmán

  Guzman,

  It should work without a doubt, that is the part to refuse already works well and the user who has the correct memberOf attribute should certainly are mapped to Allow access policy and should therefore be allowed in.

  I think that's a bug as well, but I had a quick glance and see nothing correspondent, and if it was a bug in 8.2.3. so I'm not expecting you to be the first customer to discover this, so I'm still more inclined to think that it's something in the config that we neglect (I know frome experience typo can sometimes be very difficult to spot).

  Could you get "debug aaa 255 Commons", so please, maybe that will tell us something.

  BTW, just to be sure: you don't don't have anything (such as vpn - connections) configured in the DfltGrpPolicy, did you? Just double check since your access policy Allow would inherit that.

  Maybe another test, explicitly configure a nonzero value for this parameter in the policy allow access, i.e.

  Group Policy allow access attrib

  VPN - 10 concurrent connections

  Herbert

• Attribute LDAP AnyConnect Map

  I'm trying to configure the attribute map for our SSL Anyconnect Client connections. Basically I want all connections to be deleted, unless the AD attribute numbering is set to allow users.

  I have it working. But according to the instructions of Cisco, you create a group policy for NoAccess as your default strategy for your connection profile and kinematics-connections set to 0. The idea being to all connections will be dropped unless they use a different group strategy. As soon as I change my strategy of group - by default-NoAccess, I can not connect.

  ldap attribute-map LDAPVPN
  
        map-name  msNPAllowDialin IETF-Radius-Class
  
        map-value msNPAllowDialin FALSE NOACCESS
  
        map-value msNPAllowDialin TRUE SSL-VPN
  
  aaa-server LDAP protocol ldap
  
      aaa-server LDAP (inside) host 192.200.202.5
  
      server-port 389
  
      ldap-base-dn dc=*****,dc=com
  
      ldap-scope subtree
  
      ldap-naming-attribute sAMAccountName
  
      ldap-login-password *****
  
      ldap-login-dn CN=cisco,OU=Service,OU=Accounts,OU=*****,DC=******,DC=com
  
      server-type microsoft
  
      ldap-attribute-map LDAPVPN
  group-policy SSL-VPN internal
  
      group-policy SSL-VPN attributes
  
      dns-server value 192.200.202.5 192.200.202.6
  
      vpn-tunnel-protocol svc
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value VPN-Tunnel
  
      group-policy NoAccess internal
  
      group-policy NoAccess attributes
  
      vpn-simultaneous-logins 0
  
      vpn-tunnel-protocol IPSec svc
  
      webvpn
  
        svc ask none default svc
  tunnel-group SSL-VPN type remote-access
  
      tunnel-group SSL-VPN general-attributes
  
      address-pool ssl-pool
  
      authentication-server-group LDAP
  
      default-group-policy NoAccess
  
      tunnel-group SSL-VPN webvpn-attributes
  
      group-alias ******* enable
  

   If I check debug you can see the attribute being mapped correctly. What gives?
  
      

  test aaa authorization LDAP host 192.200.202.5 username ****
  
  [333]   msNPAllowDialin: value = TRUE
  
      [333]           mapped to IETF-Radius-Class: value = SSL-VPN
  
      [333]           mapped to LDAP-Class: value = SSL-VPN
  
  
   
   
  			 
  Hello, please follow these steps:
  attributes of SSL - VPN group policy
  VPN - connections 3
  What is happening here is that the SSL - VPN group policy inherits the value 0 of concurrent vpn connections to NoAccess policy as soon as set you it uo as default group policy under the tunnel-group. That's why we need to specifically add value on SSL - VPN group policy.