C-23
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Use this attribute to create an Allow Access (TRUE) or a Deny Access (FALSE) condition for the
protocols and enforce the method for which the user is allowed access.
For this simplified example, by mapping the tunnel protocol IPsec/IKEv1 (4), you can create an allow
(true) condition for the Cisco VPN client. You also map WebVPN (16) and SVC/AC (32), which are
mapped as a value of 48 (16+32) and create a deny (false) condition. This allows the user to connect to
the ASA using IPsec, but any attempt to connect using clientless SSL or the AnyConnect client is denied.
Another example of enforcing dial-in allow access or deny access is available in the Tech Note ASA/PIX:
Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example at the following
URL:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.sht
ml
To configure the user attributes on the AD/LDAP server, perform the following steps:
Step1 Right-click the user.
The Properties dialog box appears.
Step2 Click the Dial-in tab, then click the Allow Access radio button (FigureC-9).
FigureC-9 AD/LDAP User1 - Allow Access
16 Clientless SSL
32 SSL client—AnyConnect or SSL VPN client
64 IPsec (IKEv2)
1. IPsec and L2TP over IPsec are not supported simultaneously. Therefore, the values
4 and 8 are mutually exclusive.
2. See note 1.
TableC-6 Bitmap Values for Cisco Tunneling-Protocol Attribute (continued)
Value Tunneling Protocol