Cisco ASA Missing Attribute

Answered Question
May 12th, 2010
User Badges:

I'm trying to set up my ASA so our SSL VPN users can authenticate against a microsoft AD server. From what I've read I need to map the AD attribute 'msNPAllowDialin' to the Cisco Attribute 'CVPN3000−Radius−IETF−Class', but my ASA doesn't seem to have that. Is there something I'm suppose to do first for this to show up? Here's what is available:




ASA(config-ldap-attribute-map)# map-name msNPAllowDialin ?


ldap mode commands/options:

cisco-attribute-names:

  Access-Hours

  Allow-Network-Extension-Mode

  Auth-Service-Type

  Authenticated-User-Idle-Timeout

  Authorization-Required

  Authorization-Type

  Banner1

  Banner2

  Cisco-AV-Pair

  Cisco-IP-Phone-Bypass

  Cisco-LEAP-Bypass

  Client-Intercept-DHCP-Configure-Msg

  Client-Type-Version-Limiting

  Confidence-Interval

  DHCP-Network-Scope

  DN-Field

  Firewall-ACL-In

  Firewall-ACL-Out

  Group-Policy

  IE-Proxy-Bypass-Local

  IE-Proxy-Exception-List

  IE-Proxy-Method

  IE-Proxy-Server

  IETF-Radius-Class

  IETF-Radius-Filter-Id

  IETF-Radius-Framed-IP-Address

  IETF-Radius-Framed-IP-Netmask

  IETF-Radius-Idle-Timeout

  IETF-Radius-Service-Type

  IETF-Radius-Session-Timeout

  IKE-DPD-Retry-Interval

  IKE-Keep-Alives

  IPSec-Allow-Passwd-Store

  IPSec-Auth-On-Rekey

  IPSec-Authentication

  IPSec-Backup-Server-List

  IPSec-Backup-Servers

  IPSec-Client-Firewall-Filter-Name

  IPSec-Client-Firewall-Filter-Optional

  IPSec-Default-Domain

  IPSec-Extended-Auth-On-Rekey
  IPSec-IKE-Peer-ID-Check
  IPSec-IP-Compression
  IPSec-Mode-Config
  IPSec-Over-UDP
  IPSec-Over-UDP-Port
  IPSec-Required-Client-Firewall-Capability
  IPSec-Split-DNS-Names
  IPSec-Split-Tunnel-List
  IPSec-Split-Tunneling-Policy
  IPSec-Tunnel-Type
  IPSec-User-Group-Lock
  L2TP-Encryption
  L2TP-MPPC-Compression
  MS-Client-Subnet-Mask
  PFS-Required
  PPTP-Encryption
  PPTP-MPPC-Compression
  Primary-DNS
  Primary-WINS
  Privilege-Level
  Require-HW-Client-Auth
  Require-Individual-User-Auth
  Required-Client-Firewall-Description
  Required-Client-Firewall-Product-Code
  Required-Client-Firewall-Vendor-Code
  Secondary-DNS
  Secondary-WINS
  Simultaneous-Logins
  Strip-Realm
  TACACS-Authtype
  TACACS-Privilege-Level
  Tunnel-Group-Lock
  Tunneling-Protocols
  Use-Client-Address
  User-Auth-Server-Name
  User-Auth-Server-Port
  User-Auth-Server-Secret
  VPN-Smartcard-Removal-Disconnect
  WebVPN-ACL-Filters
  WebVPN-Apply-ACL-Enable
  WebVPN-Citrix-Support-Enable
  WebVPN-Content-Filter-Parameters
  WebVPN-Enable-Functions
  WebVPN-Exchange-NETBIOS-Name
  WebVPN-Exchange-Server-Address
  WebVPN-File-Access-Enable
  WebVPN-File-Server-Browsing-Enable
  WebVPN-File-Server-Entry-Enable
  WebVPN-Forwarded-Ports
  WebVPN-Homepage
  WebVPN-Macro-Substitution-Value1
  WebVPN-Macro-Substitution-Value2
  WebVPN-Port-Forwarding-Enable
  WebVPN-Port-Forwarding-Exchange-Proxy-Enable
  WebVPN-Port-Forwarding-HTTP-Proxy-Enable
  WebVPN-Port-Forwarding-Name
  WebVPN-SVC-Client-DPD
  WebVPN-SVC-Compression
  WebVPN-SVC-Enable
  WebVPN-SVC-Gateway-DPD
  WebVPN-SVC-Keep-Enable
  WebVPN-SVC-Keepalive
  WebVPN-SVC-Rekey-Method
  WebVPN-SVC-Rekey-Period
  WebVPN-SVC-Required-Enable
  WebVPN-Single-Sign-On-Server-Name
  WebVPN-URL-Entry-Enable
Correct Answer by Jatin Katyal about 6 years 10 months ago

Its not missing, it has been replaced with a different command---  IETF-Radius-Class


ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS



Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configs


HTH


Regds,

JK


Do rate hekpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jatin Katyal Wed, 05/12/2010 - 17:09
User Badges:
  • Cisco Employee,

Its not missing, it has been replaced with a different command---  IETF-Radius-Class


ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS



Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configs


HTH


Regds,

JK


Do rate hekpful posts-

Actions

This Discussion