Home / Cisco Security / Cisco ASA Firewall: LDAP Users in a Specific Group Policy through clientless SSL VPN connection

Cisco ASA Firewall: LDAP Users in a Specific Group Policy through clientless SSL VPN connection


Today I am going to talk about the LDAP users in the specific group policy where user is connecting through the clientless SSL VPN connection. First of all we need to understand the exact meaning of the LDAP, LDAP stands for Lightweight Directory Access Protocol. 

So LADP is a protocol used to admittance and attain directory data. It scans and manages directories over IP networks and works traditional over TCP/IP using simple string outlines for data delivery. So you can maintain the user directory information of your organization through LDAP. LDAP authentication can be called as authenticating user using LDAP server such as active directory.

Fig 1.1-LDAP User mapped with Cisco ASA Firewall
To place an LDAP user into a particular group policy use the Department field of the Organization tab to enter the name of the group policy. Then create an attribute map, and map Department to the Cisco attribute IETF-Radius-Class.

During authentication, the ASA recovers the value of Department from the server, maps the value to the IETF-Radius-Class, and places User1 in the group policy .Check out the steps to enable the LDAP users in a specific Group Policy

Step-1
When you are going to click on the user and open the Properties dialog box, you see the Organization tab. In the Organisation tab you need to enter Group-Policy-1 in the Department field as shown below.

Fig 1.2- LDAP Group Policy
Step-2
Now it’s time to define an attribute map for the LDAP configuration and Map the AD attribute Department to the Cisco attribute IETF-Radius-Class using the below configuration on Cisco ASA Firewall.

RouteXP_ASA(config)# ldap attribute-map group_policy
RouteXP_ASA (config-ldap-attribute-map)# map-name Department IETF-Radius-Class

Step-3
As you applied the ldap attribute map and map name, now associate the LDAP map with the AAA server as shown below on Cisco ASA Firewall

RouteXP_ASA (config)# aaa-server MS_LDAP host 10.10.1.2
RouteXP_ASA (config-aaa-server-host)# ldap-attribute-map group_policy 

Step-4
As you remember we said we create the group policy as Group-Policy-1, we need to add this group policy in the Department field on the server, on the ASA and configure the required policy attributes that will be assigned to the user.

RouteXP_ASA (config)# group-policy Group-policy-1 external server-group LDAP_demo
RouteXP_ASA (config-aaa-server-group)#

Step-5
Create the VPN connection as the user would, and confirm that the session receives the attributes from Group-Policy1 (and any other applicable attributes from the default group-policy). Now Observe the interaction between the ASA and the server by allowing the debug  ldap 255 command from privileged EXEC mode. 

Authentication successful for user1 to 10.10.1.2
Retrieving user attributes from server 10.10.1.2
Retrieved Attributes:
department: value = Group-Policy-1
mapped to IETF-Radius-Class: value = Group-Policy-1