C-21
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
The following example shows how to map the AD attribute msRADIUSFramedIPAddress used by the
Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address:
hostname(config)# ldap attribute-map static_address
hostname(config-ldap-attribute-map)# map-name msRADIUSFramedIPAddress
IETF-Radius-Framed-IP-Address
Step4 Associate the LDAP attribute map to the AAA server.
The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA
server group MS_LDAP, and associates the attribute map static_address that you created in Step 3:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map static_address
Step5 Verify that the vpn-address-assignment command is configured to specify AAA by viewing this part of
the configuration with the show run all vpn-addr-assign command:
hostname(config)# show run all vpn-addr-assign
vpn-addr-assign aaa << Make sure this is configured >>
no vpn-addr-assign dhcp
vpn-addr-assign local
hostname(config)#
Step6 Establish a connection to the ASA with the AnyConnect client. Observe the following:
The banner is received in the same sequence as a clientless connection (see Figure C-7).
The user receives the IP address configured on the server and mapped to the ASA (see FigureC-8).
FigureC-7 Verify the Banner for the AnyConnect Session