Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA and LDAP authorization

Hello all,

I'm looking for the way to download user profiles for ASA (both IPSec and SSL) from LDAP server.

Quite similar to what it's possible to do with RADIUS ip-acl and webvpn-acl attributes.

Authentication works, I just need to limit access per user.

3 REPLIES

Re: ASA and LDAP authorization

You would be required to define a security appliance authorization schema, and then use the attributes that you want,

Configuring an External LDAP Server:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1577162

Regards,

Prem

Please rate if it helps!

New Member

Re: ASA and LDAP authorization

Hello,

Thanks for the reply.

I understand it. However, what I found as examples only maps predefined group-policy, accepts or denies the access etc. So, not really the ACL as I need to apply per-user.

Do you have more examples?

Re: ASA and LDAP authorization

The LDAP authorization attributes is not only for predefined group policy. You can push many attributes as per your requirement. As you want to push ACL on per user basis, that would be defined under "Cisco-AV-Pair". But again, in order to do that, you need to go through the document, and configure/add/edit your LDAP schema, so that it can have a security appliance authorization schema [object class (User-Authorization)], and all the listed attributes need to be added (all or some depending on your need) under this object class.

What can be done using the attributes is, I guess, self explanatory. Please refer to table,

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1629915

If you are looking for ldif file that needs to be created, you find an example file in this document. Go to the heading "Example Security Appliance Authorization Schema". You may want to get some help from an LDAP expert.

But to push authorization attributes from LDAP server to ASA, you needs to add the LDAP authorization attributes in your LDAP.

Regards,

Prem

Please rate if it helps!

271
Views
0
Helpful
3
Replies