Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA Missing Attribute

I'm trying to set up my ASA so our SSL VPN users can authenticate against a microsoft AD server. From what I've read I need to map the AD attribute 'msNPAllowDialin' to the Cisco Attribute 'CVPN3000−Radius−IETF−Class', but my ASA doesn't seem to have that. Is there something I'm suppose to do first for this to show up? Here's what is available:

ASA(config-ldap-attribute-map)# map-name msNPAllowDialin ?

ldap mode commands/options:

cisco-attribute-names:

  Access-Hours

  Allow-Network-Extension-Mode

  Auth-Service-Type

  Authenticated-User-Idle-Timeout

  Authorization-Required

  Authorization-Type

  Banner1

  Banner2

  Cisco-AV-Pair

  Cisco-IP-Phone-Bypass

  Cisco-LEAP-Bypass

  Client-Intercept-DHCP-Configure-Msg

  Client-Type-Version-Limiting

  Confidence-Interval

  DHCP-Network-Scope

  DN-Field

  Firewall-ACL-In

  Firewall-ACL-Out

  Group-Policy

  IE-Proxy-Bypass-Local

  IE-Proxy-Exception-List

  IE-Proxy-Method

  IE-Proxy-Server

  IETF-Radius-Class

  IETF-Radius-Filter-Id

  IETF-Radius-Framed-IP-Address

  IETF-Radius-Framed-IP-Netmask

  IETF-Radius-Idle-Timeout

  IETF-Radius-Service-Type

  IETF-Radius-Session-Timeout

  IKE-DPD-Retry-Interval

  IKE-Keep-Alives

  IPSec-Allow-Passwd-Store

  IPSec-Auth-On-Rekey

  IPSec-Authentication

  IPSec-Backup-Server-List

  IPSec-Backup-Servers

  IPSec-Client-Firewall-Filter-Name

  IPSec-Client-Firewall-Filter-Optional

  IPSec-Default-Domain

  IPSec-Extended-Auth-On-Rekey
  IPSec-IKE-Peer-ID-Check
  IPSec-IP-Compression
  IPSec-Mode-Config
  IPSec-Over-UDP
  IPSec-Over-UDP-Port
  IPSec-Required-Client-Firewall-Capability
  IPSec-Split-DNS-Names
  IPSec-Split-Tunnel-List
  IPSec-Split-Tunneling-Policy
  IPSec-Tunnel-Type
  IPSec-User-Group-Lock
  L2TP-Encryption
  L2TP-MPPC-Compression
  MS-Client-Subnet-Mask
  PFS-Required
  PPTP-Encryption
  PPTP-MPPC-Compression
  Primary-DNS
  Primary-WINS
  Privilege-Level
  Require-HW-Client-Auth
  Require-Individual-User-Auth
  Required-Client-Firewall-Description
  Required-Client-Firewall-Product-Code
  Required-Client-Firewall-Vendor-Code
  Secondary-DNS
  Secondary-WINS
  Simultaneous-Logins
  Strip-Realm
  TACACS-Authtype
  TACACS-Privilege-Level
  Tunnel-Group-Lock
  Tunneling-Protocols
  Use-Client-Address
  User-Auth-Server-Name
  User-Auth-Server-Port
  User-Auth-Server-Secret
  VPN-Smartcard-Removal-Disconnect
  WebVPN-ACL-Filters
  WebVPN-Apply-ACL-Enable
  WebVPN-Citrix-Support-Enable
  WebVPN-Content-Filter-Parameters
  WebVPN-Enable-Functions
  WebVPN-Exchange-NETBIOS-Name
  WebVPN-Exchange-Server-Address
  WebVPN-File-Access-Enable
  WebVPN-File-Server-Browsing-Enable
  WebVPN-File-Server-Entry-Enable
  WebVPN-Forwarded-Ports
  WebVPN-Homepage
  WebVPN-Macro-Substitution-Value1
  WebVPN-Macro-Substitution-Value2
  WebVPN-Port-Forwarding-Enable
  WebVPN-Port-Forwarding-Exchange-Proxy-Enable
  WebVPN-Port-Forwarding-HTTP-Proxy-Enable
  WebVPN-Port-Forwarding-Name
  WebVPN-SVC-Client-DPD
  WebVPN-SVC-Compression
  WebVPN-SVC-Enable
  WebVPN-SVC-Gateway-DPD
  WebVPN-SVC-Keep-Enable
  WebVPN-SVC-Keepalive
  WebVPN-SVC-Rekey-Method
  WebVPN-SVC-Rekey-Period
  WebVPN-SVC-Required-Enable
  WebVPN-Single-Sign-On-Server-Name
  WebVPN-URL-Entry-Enable

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ASA Missing Attribute

Its not missing, it has been replaced with a different command---  IETF-Radius-Class

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configs

HTH

Regds,

JK

Do rate hekpful posts-

~BR Jatin Katyal **Do rate helpful posts**
1 REPLY
Cisco Employee

Re: Cisco ASA Missing Attribute

Its not missing, it has been replaced with a different command---  IETF-Radius-Class

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configs

HTH

Regds,

JK

Do rate hekpful posts-

~BR Jatin Katyal **Do rate helpful posts**
1778
Views
5
Helpful
1
Replies