35-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
To map LDAP features correctly, perform the following steps:
Detailed Steps
Examples
The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute has three possible values:
VPN
admin
helpdesk
The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt:
hostname(config)# ldap attribute-map MGMT
hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type
hostname(config-ldap-attribute-map)# map-value accessType VPN 5
hostname(config-ldap-attribute-map)# map-value accessType admin 6
Command Purpose
Step1 ldap attribute-map map-name
Example:
hostname(config)# ldap attribute-map
att_map_1
Creates an unpopulated LDAP attribute map table.
Step2 map-name user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-name department IETF-Radius-Class
Maps the user-defined attribute name department to the Cisco
attribute.
Step3 map-value user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-value department Engineering group1
Maps the user-defined map value department to the user-defined
attribute value and the Cisco attribute value.
Step4 aaa-server server_group [interface_name]
host server_ip
Example:
hostname(config)# aaa-server ldap_dir_1
host 10.1.1.4
Identifies the server and the AAA server group to which it
belongs.
Step5 ldap-attribute-map map-name
Example:
hostname(config-aaa-server-host)#
ldap-attribute-map att_map_1
Binds the attribute map to the LDAP server.