Which of the following is the ASA most likely to match?

A Cisco ASA queries an LDAP server for a VPN user OU attribute of bsnsw and receives multiple results.
Which of the following is the ASA most likely to match? (Select the best answer.)

A Cisco ASA queries an LDAP server for a VPN user OU attribute of bsnsw and receives multiple results.
Which of the following is the ASA most likely to match? (Select the best answer.)

A.
the last result in the list of results containing the attribute

B.
the first result in the list of results containing the attribute

C.
the most specific result in the list of results containing the attribute

D.
the shortest result in the list of results beginning with the lowest alphanumeric character

Explanation:
Of the choices provided, the Cisco Adaptive Security Appliance (ASA) is most likely to match the shortest
Lightweight Directory Access Protocol (LDAP) result beginning with the lowest alphanumeric character in thelist of results containing the organizational unit (OU) attribute of bsnsw. When using LDAP attribute maps on an
ASA, there is a limit on the number of Active Directory (AD) multivalued attributes matched by an LDAP
attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based on
specified AD attributes, such as group membership or department name. If an LDAP query returns a
multivalued attribute, such as the list of groups of which a user is a member, the ASA will match only one of the
returned values to the appropriate group policy. The ASA will select the matching group policy with the least
number of characters in the name and that starts with the lowest alphanumeric character.
The following sample output from a running configuration defines five group policy mappings:
ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf
CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf
CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf
CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf
CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf
CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The LDAP
attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA GroupPolicy
attribute, and a series of mapvaluecommands, which map matching LDAP response strings to ASA attributes.
The mapvalue commands specify the mapping between AD group membership attributes in an LDAP response
and the ASA group policy to which they should be applied. When the ASA receives a reply to an LDAP
authorization query for the VPN user in this scenario, the following multiattribute response is compared to the
mapvalue statements in the LDAP attribute map:
memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the
appropriate group policy. The ASA will select the matching group policy with the least number of characters in
the name and that starts with the lowest alphanumeric character. In this scenario, four of the five configured
mapvalue statements will match the LDAP query response. Because the group policies in the matched
statement have names of identical length, the ASA will select the name based on its alphabetical preference.
Alphabetically, the name Group1 comes before any of the other matching group policy names: Group3,
Group4, and Group5.

Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ



Leave a Reply 0

Your email address will not be published. Required fields are marked *