Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
1
Replies

Ldap for Authorization

shawn.s
Level 1
Level 1

‎03-03-2004 08:08 AM

From the document I am reading:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html#99692

it looks like I will have to extend my active directory schema?. Is anyone using this and does it work ?

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎03-03-2004 08:01 PM

I've helped customers set it up and yes, it does work. Basically you can assign attributes to users from your LDAP database, these override what is set on the concentrator. You don't have to define every attribute, so don't go and create this huge LDAP schema, only define the attributes you want to define via LDAP specifically and that should be enough.

You'll end up with something like this under a user profile:

CVPN3000-Access-Hours: Corporate_time

cVPN3000-Simultaneous-Logins: 2

cVPN3000-IPSec-Over-UDP: TRUE

CVPN3000-IPSec-Over-UDP-Port: 12125

cVPN3000-IPSec-Banner1: Welcome to the XYZ Corporation!!!

cVPN3000-Primary-DNS: 10.10.4.5

CVPN3000-Secondary-DNS: 10.11.12.7

CVPN3000-Primary-WINS: 10.20.1.44

CVPN3000-SEP-Card-Assignment: 1

CVPN3000-IPSec-Tunnel-Type: 2

CVPN3000-Tunneling-Protocols: 7

cVPN3000-Confidence-Interval: 300

cVPN3000-IPSec-Allow-Passwd-Store: TRUE

objectClass: cVPN3000-User-Authorization

The object class must be called "cVPN3000-User-Authorization" at the moment, it may be able to be changed in later code releases but for now it has to be that.

A good way to start off is just define the following:

cVPN3000-IPSec-Banner1: Hi there

and if the user gets that when they login then you know your database is set up OK. After that it's just a matter of adding in whatever other attributes you want, they're all listed in the URL you posted initially.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents