Configure LDAP or Active Directory for Authorization

On your Cisco Defense Orchestrator web interface, choose Devices > VPN > Remote Access.

Create a remote access VPN policy with LDAP or AD realm object as the authentication server. Or edit an existing remote access VPN configuration and select LDAP or AD realm as the authentication server.

Choose Objects > Object Management > FlexConfig > FlexConfig Object.

Create a FlexConfig policy and create and assign the following two FlexConfig objects in the append section:

1. Create the FlexConfig Object for LDAP Attribute Map with Deployment type: Once and Type: Append.

   Enter the following in the object body:

   lda attribute-map <LDAP_Map_for_VPN_Access>
             map-name  memberOf Group-Policy
             map-value memberOf CN=APP-SSL-VPN Managers,CN=Users,OU=stbu,DC=cisco,DC=com LabAdminAccessGroupPolicy
             map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com VPNAccessGroupPolicy
   

2. Create a FlexConfig Object associating the LDAP attribute map to the LDAP AAA-server, with Deployment type: Everytime and Type: Append.

   Note	This mapping is required to reinstate the LDAP-attribute-map association because it is negated by Cisco Defense Orchestrator.

   Enter the following in the object body area:

   aaa-server <LDAP/AD_Realm_name> host <AD Server IP>
             ldap-attribute-map <LDAP_Map_for_VPN_Access>
             exit
   

   Use the same aaa-server same as the LDAP realm name used in the AAA server settings of the connection profile that you have added to the remote access VPN policy configuration.

1. Click Save.