Hostname(config-aaa-server-host)# ldap-attribute-map MGMTĪllow TCP applications over clientless sslvpn without plugins Hostname(config-aaa-server-host)# server-type auto-detect Hostname(config-aaa-server-host)# ldap-login-dnĬN=Administrator,CN=Users,DC=cisco,DC=local Hostname(config-aaa-server-host)# ldap-login-password test Hostname(config-aaa-server-host)# ldap-scope subtree Hostname(config-aaa-server-host)# ldap-base-dn CN=Users,DC=cisco,DC=local Hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.91 Hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap Hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7 Hostname(config-ldap-attribute-map)# map-value accessType admin 6 Hostname(config-ldap-attribute-map)# map-value accessType VPN 5 Hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type Hostname(config)# ldap attribute-map MGMT The accessType attribute has three possible values:Įach value is mapped to one of the valid IETF RADIUS Service-Types that the security appliance supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6) Administrative, and nas-prompt (Service-Type 7) NAS Prompt.
#Cisco asa 5505 web filtering how to#
The following example shows how to limit management sessions to the security appliance based on an LDAP attribute called accessType. Here is an instructions snippit from the Cisco docs: You simply map LDAP attributes to Radius attributes so you can control their privilege level (1-15). Now you can authenticate and authorize directly to LDAP databases for your administrators. Most of you authenticate and authorize your ASA administrators using TACACS+ or RADIUS which sometimes backends into a LDAP database. Here are two screenshots showing a snippit from the vendor list and the auto remediation feature and host firewall rules you get when you enable the advanced inpsection license.Īuthenticate and authorize your ASA Admin users directly via LDAP These rules can be based on AAA criteria as well. You configure your host posture assessment checks via DAP (dynamic access policy) rules. It is not as robust as Cisco’s NAC Appliance solution but in many cases it makes sense anyway.
#Cisco asa 5505 web filtering upgrade#
For a nominal fee you can upgrade to the advanced host inspection license and obtain some remediation features and a detailed checklist of over 40 AV/AS vendors products as well. The ASA includes NAC functionality for host posture assessment built-in. There is also a expert view where you can create your own regex expression for any of the URI fields or body.Įmbedded host posture assessment and remediation (NAC) for VPN clients This is configured here in ASDM: Firewall / Service Policy Rulesįigure 1: Define interface to apply policy toįigure 2: Define traffic match criteria, I picked ACLįigure 3: Choose a application inspection, I chose httpįigure 4: Configure the http inspection rules, I chose medium security. The way all of the application inspection engines work is you pick an interface you want to inspect traffic on, then you define the traffic matching criteria, then you define what application level data you want to write policy for. This makes the ASA not only a stateful packet filtering firewall but also an application firewall. The ASAs include several deep packet inspection engines in its software. How in-depth is your ASA knowledge, put it to the test. You've probably heard of one or even two but I'm betting not all 5. I've compiled 5 very useful ASA features that I find most customers don't know about yet.
0 kommentar(er)
