ASA and LDAP authorization

Unanswered Question
Aug 30th, 2008
User Badges:

Hello all,

I'm looking for the way to download user profiles for ASA (both IPSec and SSL) from LDAP server.

Quite similar to what it's possible to do with RADIUS ip-acl and webvpn-acl attributes.

Authentication works, I just need to limit access per user.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
v.kirillov Sun, 08/31/2008 - 02:01
User Badges:

Hello,


Thanks for the reply.

I understand it. However, what I found as examples only maps predefined group-policy, accepts or denies the access etc. So, not really the ACL as I need to apply per-user.

Do you have more examples?

Premdeep Banga Sun, 08/31/2008 - 09:45
User Badges:
  • Gold, 750 points or more

The LDAP authorization attributes is not only for predefined group policy. You can push many attributes as per your requirement. As you want to push ACL on per user basis, that would be defined under "Cisco-AV-Pair". But again, in order to do that, you need to go through the document, and configure/add/edit your LDAP schema, so that it can have a security appliance authorization schema [object class (User-Authorization)], and all the listed attributes need to be added (all or some depending on your need) under this object class.


What can be done using the attributes is, I guess, self explanatory. Please refer to table,


http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1629915


If you are looking for ldif file that needs to be created, you find an example file in this document. Go to the heading "Example Security Appliance Authorization Schema". You may want to get some help from an LDAP expert.


But to push authorization attributes from LDAP server to ASA, you needs to add the LDAP authorization attributes in your LDAP.


Regards,

Prem


Please rate if it helps!

Actions

This Discussion