Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Ldap for Authorization

From the document I am reading:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html#99692

it looks like I will have to extend my active directory schema?. Is anyone using this and does it work ?

1 REPLY
Cisco Employee

Re: Ldap for Authorization

I've helped customers set it up and yes, it does work. Basically you can assign attributes to users from your LDAP database, these override what is set on the concentrator. You don't have to define every attribute, so don't go and create this huge LDAP schema, only define the attributes you want to define via LDAP specifically and that should be enough.

You'll end up with something like this under a user profile:

CVPN3000-Access-Hours: Corporate_time

cVPN3000-Simultaneous-Logins: 2

cVPN3000-IPSec-Over-UDP: TRUE

CVPN3000-IPSec-Over-UDP-Port: 12125

cVPN3000-IPSec-Banner1: Welcome to the XYZ Corporation!!!

cVPN3000-Primary-DNS: 10.10.4.5

CVPN3000-Secondary-DNS: 10.11.12.7

CVPN3000-Primary-WINS: 10.20.1.44

CVPN3000-SEP-Card-Assignment: 1

CVPN3000-IPSec-Tunnel-Type: 2

CVPN3000-Tunneling-Protocols: 7

cVPN3000-Confidence-Interval: 300

cVPN3000-IPSec-Allow-Passwd-Store: TRUE

objectClass: cVPN3000-User-Authorization

The object class must be called "cVPN3000-User-Authorization" at the moment, it may be able to be changed in later code releases but for now it has to be that.

A good way to start off is just define the following:

cVPN3000-IPSec-Banner1: Hi there

and if the user gets that when they login then you know your database is set up OK. After that it's just a matter of adding in whatever other attributes you want, they're all listed in the URL you posted initially.

176
Views
0
Helpful
1
Replies
CreatePlease to create content