The attribute map which bind our group of allowed administrators to a Service Type which allow logins:
ldap attribute-map LDAP_MemberOf_ServiceType map-name memberOf IETF-Radius-Service-Type map-value memberOf CN=G_ADMIN_SECU,OU=Groupes,DC=TEST,DC=secu 6
The Active Directory Servers. I use SSL so be sure to import the root certificate from the Active Directory to make it works.
aaa-server TEST.SECU protocol ldap aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.10 server-port 636 ldap-base-dn DC=TEST,DC=secu ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu ldap-over-ssl enable server-type microsoft ldap-attribute-map LDAP_MemberOf_ServiceType aaa-server TEST.SECU (DMZ_Auth) host 10.18.0.11 server-port 636 ldap-base-dn DC=TEST,DC=secu ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=svc-acces,OU=Services,DC=TEST,DC=secu ldap-over-ssl enable server-type microsoft ldap-attribute-map LDAP_MemberOf_ServiceType
To use our LDAP to allow admin access to the firewall.
user-identity default-domain LOCAL aaa authentication ssh console TEST.SECU LOCAL aaa authentication http console TEST.SECU LOCAL aaa authorization exec authentication-server
Debug commands:
debug ldap 255 debug aaa common 255