A P P E N D I X E Configuring An External Server For Authorization And Authentication - Cisco FirePOWER ASA 5500 series Configuration Manual

Understanding Policy Enforcement of Permissions and Attributes
•
•
Understanding Policy Enforcement of Permissions and
Attributes
You can configure the security appliance to receive user attributes from either the LOCAL/internal
database, a RADIUS/LDAP authentication server, or a RADIUS/LDAP authorization server. You can
also place users into group-policies with different attributes, but the user attributes will always take
precedence. After the device authenticates the user and group(s), the security appliance combines the
user and group attribute sets into one aggregate attribute set. The security appliance uses the attributes
in the following order and applies the aggregate attribute set to the authenticated user.
1.
2.
3.
4.
Configuring an External LDAP Server
For more information on the LDAP protocol, see RFCs 1777, 2251, and 2849.
Note
This section describes the structure, schema, and attributes of an LDAP server. It includes the following
topics:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
E-2
Supported on PIX, VPN 3000, and the security appliance. The RADIUS server retrieves/searches
the username and enforces any defined attributes.
Local Authentication
Supported on PIX, VPN 3000, and the security appliance. The Local/Internal server
retrieves/searches the username and enforces any defined attributes as part of the authorization
function.
Local Authorization
Supported on PIX 7.1.x and the security appliance only. The Local/Internal server retrieves/searches
the username and enforces any defined attributes.
User attributes—The server returns these after successful user authentication or authorization.
These take precedence over all others.
Group policy attributes—These attributes come from the group policy associated with the user. You
identify the user group policy name in the local database by the ' vpn-group-policy' attribute or from
an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format
'OU=GroupName;'. The group policy provides any attributes that are missing from the user
attributes. User attributes override group policy attributes if both have a value.
Tunnel group default-group-policy attributes—These attributes come from the default-group-policy
(Base group) that is associated with the tunnel group. After a lookup of that group policy, the Tunnel
Group's default-group-policy provide any attributes that are missing from the user or group policy
attributes. User attributes override group policy attributes if both have a value.
System default attributes—System default attributes provide any attributes that are missing from the
user, group, or tunnel group attributes.
Reviewing the LDAP Directory Structure and Configuration Procedure
Organizing the Security Appliance LDAP Schema
Defining the Security Appliance LDAP Schema
Appendix E Configuring an External Server for Authorization and Authentication
OL-10088-01