Monday, May 6, 2013

Cisco ASA management session use LDAP

we talked about ldap for VPN remote access a lot before, now it is time to discuss how to use LDAP for asa management purpose:

the following is the procedure via ASDM



  1.  configure the ldap attibute map
    please note the attribute name is case sensitive, you can open ldap debug to find out the how the name and value looks like
    ldap attribute-map TEST2
      map-name  memberOf IETF-Radius-Service-Type
      map-value memberOf CN=IT,OU=Firewall,DC=test,DC=int 6


    -Service-Type 6 (admin)-Allows full access to any services specified by the aaa authentication console commands.

    -Service-Type 7 (nas-prompt)-Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.



    -Service-Type 5 (remote-access)-Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their remote-access sessions.
  2. setup LDAP server ( same as for VPN access)
  3. config aaa access
    select the ldap from server group
    (cli: aaa authentication http console ldapserver local)
     select enable perform authorization for exec shell access
    (cli: aaa authorization exec authentication-server)





-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to use Telus Actionec T3200M as a wireless Access point

when you install Telus Internet, they will offer you a modem + router + wireless device Actionec T3200M, a lot of users still want to use th...