The following partial command output is from the running configuration of an ASA that has been configured to
authorize VPN users based on their group membership in AD:
ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf
CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf
CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf
CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf
CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf
CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
An LDAP authorization query for a VPN user returns the following values:
memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
Which group policy will the ASA assign to the user in this scenario? (Select the best answer.)
A.
Group1
B.
Group2
C.
Group3
D.
Group4
E.
Group5
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the group policy named Group1 to the
virtual private network (VPN) user. Lightweight Directory Access Protocol (LDAP) attribute maps are used to
authorize VPN users based on specified Active Directory (AD) attributes, such as group membership or
department name. The following sample output from the running configuration defines five group policy
mappings:
ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf
CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf
CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf
CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf
CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf
CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The LDAP
attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA GroupPolicy
attribute, and a series of mapvaluecommands, which map matching LDAP response strings to ASA attributes.
The mapvalue commands specify the mapping between AD group membership attributes in an LDAP response
and the ASA group policy to which they should be applied. When the ASA receives a reply to an LDAP
authorization query for the VPN user in this scenario, the following multiattribute response is compared to the
mapvalue statements in the LDAP attribute map:
memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the
appropriate group policy. The ASA will select the matching group policy with the least number of characters in
the name and that starts with the lowest alphanumeric character. In this scenario, four of the five configured
mapvalue statements will match the LDAP query response. Because the group policies in the matched
statement have names of identical length, the ASA will select the name based on its alphabetical preference.
Alphabetically, the name Group1 comes before any of the other matching group policy names: Group3,
Group4, and Group5.Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ