Cisco ASA 5505 Configuration Manual page 1758

Configuring an External LDAP Server
Configure the user attributes on the AD LDAP server.
Step 1
Right-click on the user. The Properties window displays. Click the Dial-in tab. Select Allow Access
(Figure
Figure B-9
Note
Create an attribute map to allow both an IPSec and AnyConnect connection, but deny a clientless SSL
Step 2
connection.
In this case we create the map tunneling_protocols, and map the AD attribute msNPAllowDialin used by
the Allow Access setting to the Cisco attribute Tunneling-Protocols using the map-name command, and
add map values with the map-value command,
For example:
hostname(config)# ldap attribute-map tunneling_protocols
hostname(config-ldap-attribute-map)# map-name msNPAllowDialin Tunneling-Protocols
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 4
Associate the LDAP attribute map to the AAA server.
Step 3
The following example enters the aaa server host configuration mode for the host 3.3.3.4, in the AAA
server group MS_LDAP, and associates the attribute map tunneling_protocols that you created in step 2:
hostname(config)# aaa-server MS_LDAP host 3.3.3.4
hostname(config-aaa-server-host)# ldap-attribute-map tunneling_protocols
Cisco ASA 5500 Series Configuration Guide using ASDM
B-26
B-9).
AD-LDAP user1 - Allow access
If you select the third option "Control access through the Remote Access Policy", then a value
is not returned from the server, and the permissions that are enforced are based on the internal
group policy settings of the adaptive security appliance.
Appendix B Configuring an External Server for Authorization and Authentication
48
OL-20339-01