Filter
Top Products
14-22
Cisco ASDM User Guide
OL-16647-01
Chapter 14 Configuring AAA Servers and the Local Database
Configuring LDAP Attribute Maps
• Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the
maximum user connection time in minutes. At the end of this time, the system terminates the
connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years).
To allow unlimited connection time, select the Unlimited check box (the default).
• Idle Timeout—If the Inherit check box is not selected, this parameter specifies this user’s idle
timeout period in minutes. If there is no communication activity on the user’s connection in this
period, the system terminates the connection. The minimum time is 1 minute, and the maximum time
is 10080 minutes. This value does not apply to users of clientless SSL VPN connections.
Step 4 To set a dedicated IP address for this user, enter an IP address and subnet mask in the Dedicated IP
Address (Optional) area.
Step 5 To configure clientless SSL settings, in the left-hand pane, click Clientless SSL VPN.
To override each setting, uncheck Inherit, and fill in a new value. See the “Group Policies” section on
page 35-4.
Step 6 To configure SSL VPN settings, in the left-hand pane, click SSL VPN Client.
To override each setting, uncheck Inherit, and fill in a new value. See the “Configuring SSL VPN
Connections” section on page 35-34.
Step 7 Click Apply.
Configuring LDAP Attribute Maps
If you are introducing a security appliance to an existing LDAP directory, your existing LDAP attribute
names and values are probably different from the existing ones. You must create LDAP attribute maps
that map your existing user-defined attribute names and values to Cisco attribute names and values that
are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or
remove them as needed. You can also show or clear attribute maps.
Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names
and values as well as the user-defined attribute names and values.
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes they
would commonly be mapped to include:
IETF-Radius-Class — Department or user group
IETF-Radius-Filter-Id — Access control list
IETF-Radius-Framed-IP-Address — A static IP address
IPSec-Banner1 — A organization title
Tunneling-Protocols —
Allow or deny dial-in
For a list of Cisco LDAP attribute names and values, see Appendix C, “Configuring an External LDAP
Server”.
To map the LDAP attribute names used in your organization to their Cisco counterparts on the security
appliance, perform the following steps:
Step 1 From the Configuration > Remote Access VPN > AAA Local Users > LDAP Attribute Map pane, click
Add.
The Add LDAP Attribute Map dialog box appears with the Map Name tab active.