C-24
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Note If you select the Control access through the Remote Access Policy option, then a value is not
returned from the server, and the permissions that are enforced are based on the internal group
policy settings of the ASA.
Step3 Create an attribute map to allow both an IPsec and AnyConnect connection, but deny a clientless SSL
connection.
The following example shows how to create the map tunneling_protocols, and map the AD attribute
msNPAllowDialin used by the Allow Access setting to the Cisco attribute Tunneling-Protocols using the
map-name command, and add map values with the map-value command:
hostname(config)# ldap attribute-map tunneling_protocols
hostname(config-ldap-attribute-map)# map-name msNPAllowDialin Tunneling-Protocols
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE 48
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 4
Step4 Associate the LDAP attribute map to the AAA server.
The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA
server group MS_LDAP, and associates the attribute map tunneling_protocols that you created in Step 2:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map tunneling_protocols
Step5 Verify that the attribute map works as configured.
Step6 Try connections using clientless SSL, the AnyConnect client, and the IPsec client. The clientless and
AnyConnect connections should fail, and the user should be informed that an unauthorized connection
mechanism was the reason for the failed connection. The IPsec client should connect because IPsec is
an allowed tunneling protocol according to the attribute map (see FigureC-10 and Figure C-11).
FigureC-10 Login Denied Message for Clientless User