Cisco Systems ASA5515K9, ASA 5500 Using RADIUS Authentication, Using LDAP Authentication

35-29

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter35 Configuring AAA Servers and the Local Database

Configuring AAA

Where mysecret123 is the stored password and 15 is the assigned privilege level, which indicates an

admin user.

The available configuration options for the service-type attribute include the following:

•admin, in which users are allowed access to the configuration mode. This option also allows a user

to connect via remote access.

•nas-prompt, in which users are allowed access to the EXEC mode.

•remote-access, in which users are allowed access to the network.

The following example designates a service-type of admin for a user named admin:

hostname(config)# username admin attributes

hostname(config-username)# service-type admin

The following example designates a service-type of remote-access for a user named ra-user:

hostname(config)# username ra-user attributes

hostname(config-username)# service-type remote-access

Using RADIUS Authentication

The RADIUS IETF service-type attribute, when sent in an access-accept message as the result of a

RADIUS authentication and authorization request, is used to designate which type of service is granted

to the authenticated user. The supported attribute values are the following: administrative(6),

nas-prompt(7), Framed(2), and Login(1). For a list of supported RADIUS IETF VSAs used for

authentication and authorization, see TableC-8 on page C-36.

For more information about using RADIUS authentication, see “Configuring an External RADIUS

Server” section on page C-27. For more information about configuring RADIUS authentication for

Cisco Secure ACS, see the Cisco Secure ACS documentation on Cisco.com.

The RADIUS Cisco VSA privilege-level attribute (Vendor ID 3076, sub-ID 220), when sent in an

access-accept message, is used to designate the level of privilege for the user. For a list of supported

RADIUS VSAs used for authorization, see TableC-7 on page C -28.

Using LDAP Authentication

When users are authenticated through LDAP, the native LDAP attributes and their values can be mapped

to Cisco ASA attributes to provide specific authorization features. For the supported list of LDAP VSAs

used for authorization, see TableC-2 on page C-6.

You can use the LDAP attribute mapping feature for LDAP authorization. For examples of this feature,

see the “Understanding Policy Enforcement of Permissions and Attributes” section on pageC-1.

The following example shows how to define an LDAP attribute map. In this example, the security policy

specifies that users being authenticated through LDAP map the user record fields or parameters title and

company to the IETF-RADIUS service-type and privilege-level, respectively.

To define an LDAP attribute map, enter the following commands:

hostname(config)# ldap attribute-map admin-control

hostname(config-ldap-attribute-map)# map-name title IETF-RADIUS-Service-Type

hostname(config-ldap-attribute-map)# map-name company Privilege-Level

The following is sample output from the ldap-attribute-map command:

ldap attribute-map admin-control