1-21
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring AAA Servers and the Local Database
Configuring AAA
Detailed Steps
Examples
The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute has three possible values:
• VPN
• admin
• helpdesk
The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt:
hostname(config)# ldap attribute-map MGMT
hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type
hostname(config-ldap-attribute-map)# map-value accessType VPN 5
hostname(config-ldap-attribute-map)# map-value accessType admin 6
hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7
hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap
Command Purpose
Step 1
ldap attribute-map map-name
Example:
hostname(config)# ldap attribute-map
att_map_1
Creates an unpopulated LDAP attribute map table.
Step 2
map-name user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-name department IETF-Radius-Class
Maps the user-defined attribute name department to the Cisco
attribute.
Step 3
map-value user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-value department Engineering group1
Maps the user-defined map value department to the user-defined
attribute value and the Cisco attribute value.
Step 4
aaa-server server_group [interface_name]
host server_ip
Example:
hostname(config)# aaa-server ldap_dir_1
host 10.1.1.4
Identifies the server and the AAA server group to which it
belongs.
Step 5
ldap-attribute-map map-name
Example:
hostname(config-aaa-server-host)#
ldap-attribute-map att_map_1
Binds the attribute map to the LDAP server.
To Next Page
Loading...
Need help?
General
