Cisco ASA Series Cli Configuration Manual page 867

Chapter 1 Configuring AAA Servers and the Local Database
Detailed Steps
Command
Step 1
ldap attribute-map map-name
Example:
hostname(config)# ldap attribute-map
att_map_1
Step 2
map-name user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-name department IETF-Radius-Class
Step 3
map-value user-attribute-name
Cisco-attribute-name
Example:
hostname(config-ldap-attribute-map)#
map-value department Engineering group1
Step 4
aaa-server server_group [interface_name]
host server_ip
Example:
hostname(config)# aaa-server ldap_dir_1
host 10.1.1.4
Step 5
ldap-attribute-map map-name
Example:
hostname(config-aaa-server-host)#
ldap-attribute-map att_map_1
Examples
The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute has three possible values:
•
•
•
The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt:
hostname(config)# ldap attribute-map MGMT
hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type
hostname(config-ldap-attribute-map)# map-value accessType VPN 5
hostname(config-ldap-attribute-map)# map-value accessType admin 6
hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7
hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap
VPN
admin
helpdesk
Purpose
Creates an unpopulated LDAP attribute map table.
Maps the user-defined attribute name department to the Cisco
attribute.
Maps the user-defined map value department to the user-defined
attribute value and the Cisco attribute value.
Identifies the server and the AAA server group to which it
belongs.
Binds the attribute map to the LDAP server.
Cisco ASA Series CLI Configuration Guide
Configuring AAA
1-21