Cisco ASA 5505 Configuration Manual page 1757

Appendix B Configuring an External Server for Authorization and Authentication
Enforcing Dial-in Allow or Deny Access
In this case, we create an LDAP attribute map that specifies the tunneling protocols allowed by the user.
We map the Allow Access and Deny Access settings on the Dialin tab to the Cisco attribute
Tunneling-Protocols. The Cisco Tunneling-Protocols supports the bit-map values shown in
Using this attribute, we create an Allow Access (TRUE) or a Deny Access (FALSE) condition for the
protocols and enforce what method the user is allowed access with.
For this simplified example, by mapping the tunnel-protocol IPSec (4), we can create an allow (true)
condition for the IPSec Client. We also map WebVPN (16) and SVC/AC (32) which is mapped as value
of 48 (16+32) and create a deny (false) condition. This allows the user to connect to the adaptive security
appliance using IPSec, but any attempt to connect using clientless SSL or the AnyConnect client is
denied.
Another example of enforcing Dial-in Allow Acess or Deny Access can be found in the Tech Note
ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example, at this
URL:
OL-20339-01
Table B-6
Value
1
2
1
4
2
8
16
32
1. IPSec and L2TP over IPSec are not supported simultaneously. Therefore, the
values 4 and 8 are mutually exclusive.
2. See note 1.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149
d.shtml
Bitmap Values for Cisco Tunneling-Protocol Attribute
Tunneling Protocol
PPTP
L2TP
IPSec
L2TP/IPSEC
clientless SSL
SSL Client—AnyConnect or legacy SSL VPN client
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring an External LDAP Server
Table
B-25
B-6: