B-25
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Enforcing Dial-in Allow or Deny Access
In this case, we create an LDAP attribute map that specifies the tunneling protocols allowed by the user.
We map the Allow Access and Deny Access settings on the Dialin tab to the Cisco attribute
Tunneling-Protocols. The Cisco Tunneling-Protocols supports the bit-map values shown in Table B-6:
Table B-6 Bitmap Values for Cisco Tunneling-Protocol Attribute
Using this attribute, we create an Allow Access (TRUE) or a Deny Access (FALSE) condition for the
protocols and enforce what method the user is allowed access with.
For this simplified example, by mapping the tunnel-protocol IPSec (4), we can create an allow (true)
condition for the IPSec Client. We also map WebVPN (16) and SVC/AC (32) which is mapped as value
of 48 (16+32) and create a deny (false) condition. This allows the user to connect to the adaptive security
appliance using IPSec, but any attempt to connect using clientless SSL or the AnyConnect client is
denied.
Another example of enforcing Dial-in Allow Acess or Deny Access can be found in the Tech Note
ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example, at this
URL:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149
d.shtml
Value Tunneling Protocol
1 PPTP
2L2TP
4
1
1. IPSec and L2TP over IPSec are not supported simultaneously. Therefore, the
values 4 and 8 are mutually exclusive.
IPSec
8
2
2. See note 1.
L2TP/IPSEC
16 clientless SSL
32 SSL Client—AnyConnect or legacy SSL VPN client
To Next Page
Loading...
Need help?
General
