VPN ACL via LDAP
So a customer of mine wanted to enforce VPN policy directly from LDAP because his ACS server hardware died on him and he needed to enforce policy in the meantime until his new hardware arrived. He asked me if this was possible via Cisco-AV-Pairs and I told him that it was and that I would pass along a sample config to help him out. The first thing that we need to do is in AD select a user parameter that allows you to define multiple lines to hold the ACL entries. In our case we chose the Telephones/Notes field to accomplish this. The actual name returned for this attribute is info.
If you are unfamiliar with the AV-Pair Syntax please refer to the CCO Documentation which explains the details of the syntax. Next we need to create an LDAP attribute map to convert the LDAP Telephones/Notes attribute to the Cisco-AV-Pair attribute. Remember that actual name returned for this attribute is info. This can be seen below:
After you have done this Apply the ldap-attribute-map to the LDAP AAA-server then setup the Connection-Profile (tunnel-group) with the LDAP server as the authentication or Authorization server. Finally you can intitate the VPN session and verify the Cisco-AV-Pair ACLS are applied as seen below:
Guys, come on, really, you don't do this for the plaque. Who cares how much recognition you get from ...
Hi Joe,
I'm interested in Purchasing a Cisco ASA 5505 for home use.
Can you please explain to me what is the ...
Joe, it's interesting to see someone having all the different plaques.
That way you can very easily spot their differences.
And as ...
A perfect example that echo's your statements:
http://blog.ioshints.info/2008/07/why-im-no-longer-active-ccie.html
http://ardenpackeer.com/blog/blog-cisco-the-new-ccie-plaques-suck/
Joe 
You're not the only one feeling as such. Seems most of those who've had their CCIEs are slowly but ...
Also as a heads up - Cisco Press has new products for the new CCNA concentrations just announced by Cisco. ...
Comment by Robert
on 16 May 2008:
Joe,
Is the VPN terminated on an ASA or 3000 series concentrator?
R
Comment by Joe Harris
on 16 May 2008:
Hi Robert,
This VPN is terminated on the ASA. Note that LDAP Authentication is supported on PIX/ASA only. The VPN 3000 does not support native LDAP authentication. However LDAP Authorization is supported on the PIX, VPN 3000, and the ASA security appliance. The LDAP server retrieves and searches for the username and enforces any of the defined attributes and passes them to the appliance.
Both the ASA/PIX and VPN 3000 apppliances support the capability of enforcement of ACLs/filters externally from a Radius or LDAP server. ACL enforcement via an external Radius/LDAP server is sometimes referred to as Dynamic/Downloadable ACLs(DACLs) or Cisco-AV-Pairs. The format of Cisco-AV-Pairs are slightly different from that of DACLs. For instance:
Cisco-AV-Pairs:
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log
webvpn:inacl#1=permit url http://www.6200networks.com
webvpn:inacl#2=deny smtp any host 10.1.3.5
webvpn:inacl#3=permit url cifs://my_server/share1
DACL Format:
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
permit TCP any host 10.160.0.1 eq 80 log
Comment by Robert
on 16 May 2008:
Is this an alternatice to using LDAP authentication with DAP assigning access rights?
Comment by Joe Harris
on 19 May 2008:
Hi Robert,
Yes this is different as no DAP Records were involved here. For those unaware of Robert is referring to, Dynamic Access Policies is a new feature introduced in 8.0 code which allows you to configure authorization that addresses the dynamic nature of VPN environments. You create a dynamic access policy by setting a collection of access controll attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership of endpoint security.
For example the ASA grants access to a particular user for a particular session based on the policies you define. It generates a DAP during user authentication by selecting and/or aggragating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote access device and/or on AAA authorization for the user.
Comment by Martin Burman, Sweden
on 5 June 2008:
Excellent guide, Joe. Thanks a lot.
We encounter problems when we have more than one line in the access-list (Possible syntax error in the logs).
When using just one line everything works fine.
Any suggestions?
Best regards
Martin (not a native english speaker/writer)