Cisco ASA 5505 Configuration Manual page 1440

Understanding VPN Access Policies
Figure 65-4
To configure AAA attributes as selection criteria for DAP records, in the Add/Edit AAA Attributes
dialog box, set the Cisco, LDAP, or RADIUS attributes that you want to use. You can set these attributes
either to = or != the value you enter. There is no limit for the number of AAA attributes for each DAP
record. For detailed information about AAA attributes, see
Fields
AAA Attributes Type—Use the drop-down list to select Cisco, LDAP or RADIUS attributes:
Cisco—Refers to user authorization attributes that are stored in the AAA hierarchical model. You
•
can specify a small subset of these attributes for the AAA selection attributes in the DAP
record.These include:
LDAP—The LDAP client (security appliance) stores all native LDAP response attribute value pairs
•
in a database associated with the AAA session for the user. The LDAP client writes the response
attributes to the database in the order in which it receives them. It discards all subsequent attributes
with that name. This scenario might occur when a user record and a group record are both read from
the LDAP server. The user record attributes are read first, and always have priority over group record
attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of
the LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a
group record in AD. The name of the group is the first CN value in the DN string. The LDAP client
extracts the group name from the DN string and stores it as the AAA memberOf attribute, and in the
response attribute database as the LDAP memberOf attribute. If there are additional memberOf
Cisco ASA 5500 Series Configuration Guide using ASDM
65-16
Add AAA Attribute Dialog Box
Group Policy —The group policy name associated with the VPN user session. Can be set locally
–
on the security appliance or sent from a RADIUS/LDAP server as the IETF-Class (25) attribute.
Maximum 64 characters.
IP Address—The assigned IP address for full tunnel VPN clients (IPsec, L2TP/IPsec, SSL VPN
–
AnyConnect). Does not apply to Clientless SSL VPN, since there is no address assignment for
clientless sessions
.
– Connection Profile—The connection or tunnel group name. Maximum 64 characters.
– Username—The username of the authenticated user. Maximum 64 characters. Applies if you are
using Local, RADIUS, LDAP authentication/authorization or any other authentication type (for
example, RSA/SDI), NT Domain, etc).
=/!=—Equal to/Not equal to.
–
Chapter 65 Configuring Dynamic Access Policies
AAA Attribute Definitions.
OL-20339-01