Cisco ASA Series Cli Configuration Manual page 2148

Configuring an External LDAP Server
Note
Step 3
Create an attribute map to allow both an IPsec and AnyConnect connection, but deny a clientless SSL
connection.
The following example shows how to create the map tunneling_protocols, and map the AD attribute
msNPAllowDialin used by the Allow Access setting to the Cisco attribute Tunneling-Protocols using the
map-name command, and add map values with the map-value command:
hostname(config)# ldap attribute-map tunneling_protocols
hostname(config-ldap-attribute-map)# map-name msNPAllowDialin Tunneling-Protocols
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE 48
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 4
Step 4
Associate the LDAP attribute map to the AAA server.
The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA
server group MS_LDAP, and associates the attribute map tunneling_protocols that you created in Step 2:
hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map tunneling_protocols
Step 5
Verify that the attribute map works as configured.
Step 6
Try connections using clientless SSL, the AnyConnect client, and the IPsec client. The clientless and
AnyConnect connections should fail, and the user should be informed that an unauthorized connection
mechanism was the reason for the failed connection. The IPsec client should connect because IPsec is
an allowed tunneling protocol according to the attribute map (see
Figure 1-10
Cisco ASA Series CLI Configuration Guide
1-24
Appendix 1
If you select the Control access through the Remote Access Policy option, then a value is not
returned from the server, and the permissions that are enforced are based on the internal group
policy settings of the ASA.
Login Denied Message for Clientless User
Configuring an External Server for Authorization and Authentication
Figure 1-10 and Figure 1-11).