Cisco ASA 5505 Configuration Manual page 1752

Configuring an External LDAP Server
Placing LDAP users in a specific Group-Policy
In this case we authenticate User1 on the AD LDAP server to a specific group policy on the adaptive
security appliance. On the server, we use the Department field of the Organization tab to enter the name
of the group policy. Then we create an attribute map and map Department to the Cisco attribute
IETF-Radius-Class. During authentication, the adaptive security appliance retrieves the value of
Department from the server, maps the value to the IETF-Radius-Class, and places User1 in the group
policy.
This case applies to any connection type, including the IPSec VPN client, AnyConnect SSL VPN client,
or clientless SSL VPN. For the purposes of this case, user1 is connecting through a clientless SSL VPN
connection.
Step 1 Configure the attributes for the user on the AD LDAP Server.
Right-click the user. The Properties window displays
Group-Policy-1 in the Department field.
Figure B-5
Define an attribute map for the LDAP configuration shown in
Step 2
In this case we map the AD attribute Department to the Cisco attribute IETF-Radius-Class. For example:
hostname(config)# ldap attribute-map group_policy
hostname(config-ldap-attribute-map)# map-name Department IETF-Radius-Class
Associate the LDAP attribute map to the AAA server.
Step 3
The following example enters the aaa server host configuration mode for the host 3.3.3.4, in the AAA
server group MS_LDAP, and associates the attribute map group_policy that you created in step 2:
hostname(config)# aaa-server MS_LDAP host 3.3.3.4
hostname(config-aaa-server-host)# ldap-attribute-map group_policy
Cisco ASA 5500 Series Configuration Guide using ASDM
B-20
Appendix B
AD LDAP Department attribute
Configuring an External Server for Authorization and Authentication
(Figure B-5). Click the Organization tab and enter
Step 1.
OL-20339-01