31-22
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 31 Configuring AAA Servers and the Local Database
Configuring LDAP Attribute Maps
b. Click New to open the Add Time Range dialog box, in which you can specify a new set of access
hours.
c. If the Inherit check box is not checked, the Simultaneous Logins parameter specifies the maximum
number of simultaneous logins allowed for this user. The default value is 3. The minimum value is
0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections could
compromise security and affect performance.
d. If the Inherit check box is not checked, the Maximum Connect Time parameter specifies the
maximum user connection time in minutes. At the end of this time, the system terminates the
connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years).
To allow unlimited connection time, check the Unlimited check box (the default).
e. If the Inherit check box is not checked, the Idle Timeout parameter specifies this user’s idle timeout
period in minutes. If there is no communication activity on the user’s connection in this period, the
system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080
minutes. This value does not apply to users of clientless SSL VPN connections.
Step 4 To set a dedicated IP address for this user, enter an IP address and subnet mask in the Dedicated IP
Address (Optional) area.
Step 5 To configure clientless SSL settings, in the left-hand pane, click Clientless SSL VPN. To override each
setting, uncheck the Inherit check box, and enter a new value.
Step 6 Click Apply.
The changes are saved to the running configuration.
Configuring LDAP Attribute Maps
If you are introducing an adaptive security appliance to an existing LDAP directory, your existing LDAP
attribute names and values are probably different from the existing ones. You must create LDAP attribute
maps that map your existing user-defined attribute names and values to Cisco attribute names and values
that are compatible with the adaptive security appliance. You can then bind these attribute maps to LDAP
servers or remove them, as needed. You can also show or clear attribute maps.
Note To use the attribute mapping features correctly, you need to understand Cisco LDAP attribute names and
values, as well as the user-defined attribute names and values.
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes that they
would commonly be mapped to include the following:
• IETF-Radius-Class—A department or user group
• IETF-Radius-Filter-Id—An access control list
• IETF-Radius-Framed-IP-Address—A static IP address
• IPSec-Banner1—An organization title
• Tunneling-Protocols—Allows or denies dial-in
To Next Page
Loading...
Need help?
General
