35-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
Configuring LDAP Attribute Maps
The ASA can use an LDAP directory for authenticating VPN remote access users or firewall network
access/cut-thru-proxy sessions and/or for setting policy permissions (also called authorization
attributes), such as ACLs, bookmark lists, DNS or WINS settings, session timers, and so on. That is, you
can set the key attributes that exist in a local group policy externally through an LDAP server.
The authorization process is accomplished by means of LDAP attribute maps (similar to a RADIUS
dictionary that defines vendor-specific attributes), which translate the native LDAP user attributes to
Cisco ASA attribute names. You can then bind these attribute maps to LDAP servers or remove them, as
needed. You can also show or clear attribute maps.
Guidelines
The ldap-attribute-map has a limitation with multi-valued attributes. For example, if a user is a
memberOf of several AD groups and the ldap attribute map matches on more than one of them, the
mapped value is chosen based on the alphabetization of the matched entries.
To use the attribute mapping features correctly, you need to understand Cisco LDAP attribute names and
values, as well as the user-defined attribute names and values. For more information about LDAP
attribute maps, see the “Active Directory/LDAP VPN Remote Access Authorization Examples” section
on page C-16.
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes that they
would commonly be mapped to include the following:
IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)—Sets the group policy based on
the directory’s department or user group (for example, Microsoft Active Directory memberOf)
attribute value. The group-policy attribute replaced the IETF-Radius-Class attribute with ASDM
version 6.2/ASA version 8.2 or later.
IETF-Radius-Filter-Id—An access control list or ACL applied to VPN clients, IPsec, and SSL.
IETF-Radius-Framed-IP-Address—Assigns a static IP address assigned to a VPN remote access
client, IPsec, and SSL.
Banner1—Displays a text banner when the VPN remote access user logs in.
Tunneling-Protocols—Allows or denies the VPN remote access session based on the access type.
Note A single ldapattribute map may contain one or many attributes. You can only assign one ldap
attribute to a specific LDAP server.