Cisco Cisco ASA 5525-X Adaptive Security Appliance Manual Técnica
The information in this document is based on the PIX/ASA 8.0.
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
Background Information
In this example, the AD/LDAP attribute memberOf is mapped to the ASA attribute CVPN3000-
Radius-IETF-Class. The class attribute is used in order to assign group policies on the ASA. This
is the general process that the ASA completes when it authenticates users with LDAP:
Radius-IETF-Class. The class attribute is used in order to assign group policies on the ASA. This
is the general process that the ASA completes when it authenticates users with LDAP:
The user initiates a connection to the ASA.
1.
The ASA is configured to authenticate that user with the Microsoft AD/LDAP server.
2.
The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this
case), and looks up the provided username.
case), and looks up the provided username.
3.
If the username is found, the ASA attempts to bind to the LDAP server with the credentials
that the user provides at login.
that the user provides at login.
4.
If the second bind is successful, the ASA processes the users attributes, which includes
memberOf.
memberOf.
5.
The memberOf attribute is mapped to CVPN3000-Radius-IETF-Class by the configured
LDAP Attibute map.The value that indicates membership in the Employees group is mapped
to ExamplePolicy1.The value that indicates membership in the Contractors group is
mapped to ExamplePolicy2.
LDAP Attibute map.The value that indicates membership in the Employees group is mapped
to ExamplePolicy1.The value that indicates membership in the Contractors group is
mapped to ExamplePolicy2.
6.
The newly assigned CVPN3000-Radius-IETF-Class attribute is examined and a group
policy determination is made.The ExamplePolicy1 value causes the ExamplePolicy1 group
policy to be assigned to the user.The ExamplePolicy2 value causes the ExamplePolicy2
group policy to be assigned to the user.
policy determination is made.The ExamplePolicy1 value causes the ExamplePolicy1 group
policy to be assigned to the user.The ExamplePolicy2 value causes the ExamplePolicy2
group policy to be assigned to the user.
7.
Configure
Configure the ASA
In this section, you are presented with the information to configure the ASA to assign a group
policy to users based on their LDAP attributes.
policy to users based on their LDAP attributes.
ASDM
Complete these steps in the Adaptive Security Device Manager (ASDM) in order to configure the
LDAP map on the ASA.
LDAP map on the ASA.
Navigate to Configuration > Remote Access VPN > AAA Setup > LDAP Attribute Map.
1.
Click Add.
2.
Name the map.
3.
Create a mapping between an LDAP attribute and the IETF-Radius-Class attribute on the
ASA. In this example, the Customer Name is the memberOf attribute in Active Directory. It
is mapped to the Cisco Name of IETF-Radius-Class. Click Add.Note: Attribute names and
ASA. In this example, the Customer Name is the memberOf attribute in Active Directory. It
is mapped to the Cisco Name of IETF-Radius-Class. Click Add.Note: Attribute names and
4.