Knowledge Base > Article [0062]

LDAP attribute map

With LDAP authentication, CISCO ASA can use LDAP attribute map to assign a different login policy based on the group the login user belongs to. For instance, you have two users in your Active Directory, let us name them as Alice and Bob, Alice is in Employees group, while Bob is in Contractors group. On ASA, you have two different login policies for these two different groups. Assume the group Employees should have Policy_Employee and group Contrators should have Policy_Contractor. Once Alice logs in, she will be assigned the policy Policy_Employee, while Bob will be assigned Policy_Contractor.

With our knowledge on CISCO ASA, we believe it can be done in DualShield with RADIUS. The fundamental part is to return a RADIUS response with an attribute IETF-Radius-Class(25).

IETF-Radius-Class

Y

Y

Y

 

Single

Sets the group policy for the remote access VPN session. For versions 8.2 and later, we recommend that you use the Group-Policy attribute. You can use one of the three following formats:

group policy name

OU=group policy name

OU=group policy name:

Let us see how we achieve it in DualShield,

Create a radius attribute

Input the following into "Maps To"

groups.name.collect{ def maps=['Employees':'Policy_Employee', 'Contractors':'Policy_Contractor']; maps[it] }.find{it!=null}?.bytes

In the maps [key:value, key:value, ....], the key stands for LDAP group, the value stands for Policy.

Make sure check the option "Return Response"

Please take a look of KB36 (Send certain extra RADIUS attributes in an Access-Accept message) for the details.

 

Note:

In original CISCO LDAP authentication, it uses DN string as the LDAP group name,

CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com

CN=Contractors,CN=Users,DC=ftwsecurity,DC=cisco,DC=com

while in DualShiled you use what you see in the Management Console.

 

References:

Use LDAP Authentication to Assign a Group Policy at Login

Enforcing Microsoft Active Directory Policies Using LDAP Attribute Maps

Configure ACS to Assign a Group Policy at Login using RADIUS

Cisco ASA - Group-policy assignment based on OU

Configuring an External Server for Security Appliance User Authorization