Configuring LDAP Attribute Mapping

An LDAP attribute name maps LDAP user or group Attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Any standard LDAP attribute can be mapped to a well-known vendor specific attribute (VSA). One or more LDAP attribute(s) can be mapped to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the FTD device during remote access VPN connection establishment, the FTD device can use the information to adjust how the AnyConnect VPN client completes the connection.

When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in FTD by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the VPN-Group attribute that is understood by the VPN headend.

An LDAP attribute map consists of three components:

  • Name—Specifies the name for the LDAP attribute map; the name is generated based on the selected realm.

  • Attribute Name Mapping — Maps the LDAP user or group attribute name to Cisco-understandable name.

  • Attribute Value Mapping — Maps value in the LDAP user or group attribute to the value of a Cisco attribute for the selected name mapping.

When a user connects to FTD remote access VPN, if the memberOf field matches the configured value, then group policy VPN-Group is applied to the user's VPN Session.

The group policies used in an LDAP attribute map are added to the list of group policies in a remote access VPN configuration. When a group policy is removed from a remote access VPN configuration, the associated LDAP attribute mapping is also removed.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Advanced > LDAP Attribute Mapping.

Step 4

Click Add.

Step 5

On the Configure LDAP Attribute Map page, select a Realm to configure the attribute map.

The name for the LDAP attribute map is generated based on the selected realm. If you change the realm, the LDAP attribute name is also changed.

Step 6

Click Add.

You can configure multiple attribute maps. Each attribute map requires that you configure a name map and value maps.

Note

Ensure that you follow these guidelines while creating an LDAP attribute map:

  • You must configure one mapping for an LDAP attribute; multiple mappings with same LDAP attribute name is not allowed.

  • Configuring a minimum of one Name map is mandatory to create an LDAP attribute map.

  • Remove any LDAP attribute map if the attribute map is not associated with any connection profile in a remote access VPN configuration.

  • Use the correct spelling and capitalization in the LDAP attribute map for both the Cisco and LDAP attribute names and values.

  1. Specify the LDAP Attribute Name and then select the required Cisco Attribute Name from the list.

  2. Click Add Value Map and Specify the LDAP Attribute Value and Cisco Attribute Value.

    Repeat this step to add more value maps.

You can click the respective Delete icon to delete an LDAP attribute map, a name map, or a value map.

Step 7

Click OK to complete LDAP attribute map configuration.

Step 8

Click Save to save the changes to the LDAP attribute mapping.