Example 3: Ldap Authentication And Ldap Authorization With Microsoft Active Directory - Cisco PIX 500 Series Configuration Manual

Configuring an External LDAP Server
Configure the name of the LDAP attribute map as shown in the following example command:
Step 3
hostname(config-aaa-server-host)# ldap-attribute-map ActiveDirectoryMapTable
hostname(config-aaa-server-host)#
Specify a secure LDAP connection as follows:
Step 4
hostname(config-aaa-server-host)# ldap-over-ssl enable
hostname(config-aaa-server-host)#
Create an external group policy that associates the group-name with the RADIUS server. In this
Step 5
example, the user is assigned to the group Engineering as shown in the following example command:
hostname(config-aaa-server-host)# group-policy Engineering external server-group
radius-group password anypassword
hostname(config-aaa-server-host)#
Create a tunnel group that specifies LDAP authentication as shown in the following example commands:
Step 6
hostname(config)# tunnel-group ipsec-tunnelgroup type ipsec-ra
hostname(config)# tunnel-group ipsec-tunnelgroup general-attributes
hostname(config-tunnel-general)# authentication-server-group ldap-authenticate-grp
hostname(config-tunnel-general)#
The configuration for radius-group is not shown in this example.
Note

Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory

This example presents the procedure for configuring both authentication and authorization using LDAP
and Microsoft Active Directory. In the Microsoft user record, the department attribute is interpreted as
the group-name for the user. The authorization attributes for this group-name are retrieved from the
Active Directory server.
The department attribute is configured under the Organization tab in the Active Directory Users and
Computers dialog box as shown in
Cisco Security Appliance Command Line Configuration Guide
E-22
Appendix E Configuring an External Server for Authorization and Authentication
Figure E-5.
OL-12172-03