C-5
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Note As an LDAP client, the ASA does not support the transmission of anonymous binds or requests.
Defining the ASA LDAP Configuration
This section describes how to define the LDAP AV-pair attribute syntax and includes the following
topics:
Supported Cisco Attributes for LDAP Authorization, pageC-5
Cisco AV Pair Attribute Syntax, pageC-13
Cisco AV Pairs ACL Examples, pageC-14
Note The ASA enforces the LDAP attributes based on attribute name, not numeric ID. RADIUS attributes, on
the other hand, are enforced by numeric ID, not by name.
Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as
an authentication or authorization server enforces permissions or attributes if they are configured.
For software Version 7.0, LDAP attributes include the cVPN3000 prefix. For software Versions 7.1 and
later, this prefix was removed.

Supported Cisco Attributes for LDAP Authorization

This section provides a complete list of attributes (see Table C- 2) for the ASA 5500, VPN 3000
concentrator, and PIX 500 series ASAs. The table includes attribute support information for the VPN
3000 concentrator and PIX 500 series ASAs to assist you in configuring networks with a combination
of these devices.