Using LDAP on ACS 4.1.1 appliance

Answered Question
Sep 10th, 2008

I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?

Thanks

Dwane

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 8 years 2 months ago

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Premdeep Banga Mon, 09/15/2008 - 15:19

Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.

As it would be LDAP, please consult following matrix for the features available,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).

User directory and group directory subtree would be your AD root.

<--for example-->

User Directory Subtree : DC=domain,DC=com

Group Directory Subtree : DC=domain,DC=com

<--below info is common for all AD-->

UserObjectType : samaccountname

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : memberof

Hostname :

Port : 3268

Admin DN : [email protected]

Password :

If this is a new installation, then go for 4.2 :)

Regards,

Prem

Please rate if it helps!

dpatkins Tue, 09/16/2008 - 05:16

Prem,

What features would I lose? Also, if I take away the ACS agent, is there a way to assign another server so that I can offload logs for easy access?

Thanks

DWane

Premdeep Banga Tue, 09/16/2008 - 05:23

You can go through following link for the feature that you'll loose,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

If you are talking about the logs i.e. Pass, Fail, Radius/Tacacs accounting etc.

If you wish to not have Remote Agent even for logging, then you can make use of Syslogging feature, and send the syslogs to a syslog server.

Regards,

Prem

Please rate if it helps!

dpatkins Tue, 09/16/2008 - 05:25

So I can keep a Remote Agent for Logging and still use the LDAP feature?

Thanks I will have to look through the links a tad more.

Dwane

Correct Answer
Premdeep Banga Tue, 09/16/2008 - 05:27

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

dpatkins Wed, 12/17/2008 - 09:59

Prem,

I appreciate hte help. I have configured this and of course, I am having issues.

I have configured the device to connect to the LDAP server. I have created a bind password on the actual LDAP server.

From the ACS server, I can do a telnet 389 and it will go.

From the ASA, I do a test aaa-server authentication radiusgroup host radiusserver username me password mypassword.

It will just not allow me to authenticate. Are there logs on the ACS besides failed authentication that I can check to see why?

Does anyone have any ideas?

Dwane

dpatkins Thu, 10/23/2008 - 09:23

Kasper,

I am getting ready to set this up. I will let you know if the syntax for this setup is correct.

My question is, does anyone know of a "how to configure LDAP with ACS" example. When I go to the unknown policies on ACS, there are many things to configure such as the Domain Filter, primary and secondary LDAP servers.

Where do I find all this information and what does each do?

Dwane

Actions

This Discussion