B-26
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Step 1 Configure the user attributes on the AD LDAP server.
Right-click on the user. The Properties window displays. Click the Dial-in tab. Select Allow Access
(Figure B-9).
Figure B-9 AD-LDAP user1 - Allow access
Note If you select the third option "Control access through the Remote Access Policy", then a value
is not returned from the server, and the permissions that are enforced are based on the internal
group policy settings of the adaptive security appliance.
Step 2 Create an attribute map to allow both an IPSec and AnyConnect connection, but deny a clientless SSL
connection.
In this case we create the map tunneling_protocols, and map the AD attribute msNPAllowDialin used by
the Allow Access setting to the Cisco attribute Tunneling-Protocols using the map-name command, and
add map values with the map-value command,
For example:
hostname(config)# ldap attribute-map tunneling_protocols
hostname(config-ldap-attribute-map)# map-name msNPAllowDialin Tunneling-Protocols
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE 48
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 4
Step 3 Associate the LDAP attribute map to the AAA server.
The following example enters the aaa server host configuration mode for the host 3.3.3.4, in the AAA
server group MS_LDAP, and associates the attribute map tunneling_protocols that you created in step 2:
hostname(config)# aaa-server MS_LDAP host 3.3.3.4
hostname(config-aaa-server-host)# ldap-attribute-map tunneling_protocols
To Next Page
Loading...
