Configuring LDAP Attribute Mapping

An LDAP attribute name maps LDAP user or group attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. You can map any standard LDAP attribute to a well-known vendor specific attribute (VSA). You can map one or more LDAP attributes to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the threat defense device during remote access VPN connection establishment, the threat defense device can use the information to adjust how the Secure Client completes the connection.

When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in threat defense by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you must configure a map that maps an LDAP attribute.

An LDAP attribute map consists of three components:

  • Realm—Specifies the name for the LDAP attribute map; the name is generated based on the selected realm.

  • Attribute Name Map—Maps the LDAP user or group attribute name to Cisco-understandable name.

  • Attribute Value Map—Maps value in the LDAP user or group attribute to the value of a Cisco attribute for the selected name mapping.

The group policies that are used in an LDAP attribute map get added to the list of group policies in the remote access VPN configuration. Removing a group policy from the remote access VPN configuration also removes the associated LDAP attribute mapping.

In versions 6.4 to 6.6, you can configure LDAP attribute maps only using FlexConfig. For more information, see Configure AnyConnect Modules and Profiles Using FlexConfig.

In versions 7.0 and later, you can use the following procedure:

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Advanced > LDAP Attribute Mapping.

Step 4

Click Add.

Step 5

On the Configure LDAP Attribute Map page, select a Realm to configure the attribute map.

Step 6

Click Add.

You can configure multiple attribute maps. Each attribute map requires that you configure a name map and value maps.

Note

Ensure that you follow these guidelines while creating an LDAP attribute map:

  • Configure at least one mapping for an LDAP attribute; multiple mappings with the same LDAP attribute name is not allowed.

  • Configure a minimum of one name map to create an LDAP attribute map.

  • You can remove any LDAP attribute map if the attribute map is not associated with any connection profile in the remote access VPN configuration.

  • Use the correct spelling and capitalization in the LDAP attribute map for both the Cisco and LDAP attribute names and values.

  1. Specify the LDAP Attribute Name and then select the required Cisco Attribute Name from the list.

  2. Click Add Value Map and Specify the LDAP Attribute Value and Cisco Attribute Value.

    Repeat this step to add more value maps.

Step 7

Click OK to complete LDAP attribute map configuration.

Step 8

Click Save to save the changes to the LDAP attribute mapping.

Example

For a detailed example, see Configure RA VPN with LDAP Authentication and Authorization for FTD.