Cisco ASA 5505 User Manual

Page 1921

C-23

Cisco ASA 5500 Series Configuration Guide using the CLI

Appendix C Configuring an External Server for Authorization and Authentication

Configuring an External LDAP Server

Use this attribute to create an Allow Access (TRUE) or a Deny Access (FALSE) condition for the
protocols and enforce the method for which the user is allowed access.

For this simplified example, by mapping the tunnel protocol IPsec/IKEv1 (4), you can create an allow
(true) condition for the Cisco VPN client. You also map WebVPN (16) and SVC/AC (32), which are
mapped as a value of 48 (16+32) and create a deny (false) condition. This allows the user to connect to
the ASA using IPsec, but any attempt to connect using clientless SSL or the AnyConnect client is denied.

Another example of enforcing dial-in allow access or deny access is available in the Tech Note ASA/PIX:
Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example at the following
URL:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.sht
ml

To configure the user attributes on the AD/LDAP server, perform the following steps:

Step 1

Right-click the user.

The Properties dialog box appears.

Step 2

Click the Dial-in tab, then click the Allow Access radio button (

Figure C-9

Figure C-9

AD/LDAP User1 - Allow Access

Clientless SSL

SSL client—AnyConnect or SSL VPN client

IPsec (IKEv2)

IPsec and L2TP over IPsec are not supported simultaneously. Therefore, the values
4 and 8 are mutually exclusive.

See note 1.

Table C-6

Bitmap Values for Cisco Tunneling-Protocol Attribute (continued)

Value

Tunneling Protocol

This manual is related to the following products:

ASA 5585-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5515-X ASA 5512-X ASA 5580 ASA 5550 ASA 5540 ASA 5520 ASA 5510 ASA 5500 Series