1-20
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring AAA Servers and the Local Database
  Configuring AAA
Configuring LDAP Attribute Maps       
The ASA can use an LDAP directory for authenticating VPN remote access users or firewall network 
access/cut-through-proxy sessions and/or for setting policy permissions (also called authorization 
attributes), such as ACLs, bookmark lists, DNS or WINS settings, session timers, and so on. That is, you 
can set the key attributes that exist in a local group policy externally through an LDAP server.
The authorization process is accomplished by means of LDAP attribute maps (similar to a RADIUS 
dictionary that defines vendor-specific attributes), which translate the native LDAP user attributes to 
Cisco ASA attribute names. You can then bind these attribute maps to LDAP servers or remove them, as 
needed. You can also show or clear attribute maps.
Guidelines
The ldap-attribute-map has a limitation with multi-valued attributes. For example, if a user is a 
memberOf of several AD groups and the ldap attribute map matches on more than one of them, the 
mapped value is chosen based on the alphabetization of the matched entries. 
To use the attribute mapping features correctly, you need to understand Cisco LDAP attribute names and 
values, as well as the user-defined attribute names and values. For more information about LDAP 
attribute maps, see the “Active Directory/LDAP VPN Remote Access Authorization Examples” section 
on page 1-15.
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes that they 
would commonly be mapped to include the following:
• IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)—Sets the group policy based on 
the directory’s department or user group (for example, Microsoft Active Directory memberOf) 
attribute value. The group-policy attribute replaced the IETF-Radius-Class attribute with ASDM 
version 6.2/ASA version 8.2 or later.
• IETF-Radius-Filter-Id—An access control list or ACL applied to VPN clients, IPsec, and SSL.
• IETF-Radius-Framed-IP-Address—Assigns a static IP address assigned to a VPN remote access 
client, IPsec, and SSL.
• Banner1—Displays a text banner when the VPN remote access user logs in.
• Tunneling-Protocols—Allows or denies the VPN remote access session based on the access type.
Note A single ldap attribute map may contain one or many attributes. You can only assign one ldap 
attribute to a specific LDAP server.
To map LDAP features correctly, perform the following steps: