Cisco ASA 5505 User Manual

35-19

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Configuring AAA

To map LDAP features correctly, perform the following steps:

Detailed Steps

Examples

The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute has three possible values:

•

VPN

•

admin

•

helpdesk

The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt:

hostname(config)# ldap attribute-map MGMT

hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type

hostname(config-ldap-attribute-map)# map-value accessType VPN 5

hostname(config-ldap-attribute-map)# map-value accessType admin 6

Command

Purpose

Step 1

ldap attribute-map

map-name

Example:

hostname(config)# ldap attribute-map

att_map_1

Creates an unpopulated LDAP attribute map table.

Step 2

map-name

user-attribute-name

Cisco-attribute-name

Example:

hostname(config-ldap-attribute-map)#

map-name department IETF-Radius-Class

Maps the user-defined attribute name department to the Cisco
attribute.

Step 3

map-value

user-attribute-name

Cisco-attribute-name

Example:

hostname(config-ldap-attribute-map)#

map-value department Engineering group1

Maps the user-defined map value department to the user-defined
attribute value and the Cisco attribute value.

Step 4

aaa-server

server_group [interface_name]

host

server_ip

Example:

hostname(config)# aaa-server ldap_dir_1

host 10.1.1.4

Identifies the server and the AAA server group to which it
belongs.

Step 5

ldap-attribute-map

map-name

Example:

hostname(config-aaa-server-host)#

ldap-attribute-map att_map_1

Binds the attribute map to the LDAP server.