Understanding Policy Enforcement Of Permissions And Attributes; Configuring An External Ldap Server - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Understanding Policy Enforcement of Permissions and Attributes
•
•
Understanding Policy Enforcement of Permissions and
Attributes
You can configure the security appliance to apply user attributes obtained from a RADIUS/LDAP
authentication /authorization server, user attributes set in group policies on the security appliance, or
both. If the security appliance receives attributes from both sources, the attributes are aggregated and
applied to the user policy. If there are conflicts between attributes coming from the server and from a
group policy, those attributes obtained from the DAP always take precedence.
To summarize, the VPN permission policy for user authorization is the aggregate of the DAP access
attributes and the group-policy inheritance hierarchy.
The security appliance applies attributes in the following order:
1.
2.
3.
4.
5.
Configuring an External LDAP Server
The cVPN3000 prefix for LDAP attributes applies only to the CVPN 3000 Series and to ASA/PIX 7.0.x.
ASA/PIX 7.1.x and later do not use this prefix, as shown in
For more information on the LDAP protocol, see RFCs 1777, 2251, and 2849.
Note
This section describes the structure, schema, and attributes of an LDAP server. It includes the following
topics:
•
Cisco Security Appliance Command Line Configuration Guide
E-2
Supported on PIX, VPN 3000, and the security appliance. The RADIUS server retrieves and
searches for the username and enforces any defined attributes.
Local Authentication
Supported on PIX, VPN 3000, and the security appliance. The Local/Internal server retrieves and
searches for the username and enforces any defined attributes as part of the authorization function.
Local Authorization
Supported on PIX 7.1.x and the security appliance only. The Local/Internal server retrieves and
searches for the username and enforces any defined attributes.
Dynamic Access Policy attributes—Take precedence over all others.
User attributes—The AAA server returns these after successful user authentication or authorization.
Group policy attributes —These attributes come from the group policy associated with the user. You
identify the user group policy name in the local database by the vpn-group-policy attribute or from
a RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the OU=GroupName.
The group policy provides any attributes that are missing from the DAP or user attributes.
Connection profile (tunnel group) default-group-policy attributes —These attributes come from the
default group policy associated with the connection profile. This group policy provides any
attributes that are missing from the DAP, user or group policy.
System default attributes—System default attributes provide any values that are missing from the
DAP, user, group policy, or connection profile.
Reviewing the LDAP Directory Structure and Configuration Procedure
Appendix E
Configuring an External Server for Authorization and Authentication
Table
E-2.
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
