cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1010
Views
5
Helpful
8
Replies

Using LDAP on ACS 4.1.1 appliance

dpatkins
Level 1
Level 1

I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?

Thanks

Dwane

1 Accepted Solution

Accepted Solutions

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

View solution in original post

8 Replies 8

Premdeep Banga
Level 7
Level 7

Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.

As it would be LDAP, please consult following matrix for the features available,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).

User directory and group directory subtree would be your AD root.

<--for example-->

User Directory Subtree : DC=domain,DC=com

Group Directory Subtree : DC=domain,DC=com

<--below info is common for all AD-->

UserObjectType : samaccountname

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : memberof

Hostname :

Port : 3268

Admin DN : Administrator@domain.com

Password :

If this is a new installation, then go for 4.2 :)

Regards,

Prem

Please rate if it helps!

Prem,

What features would I lose? Also, if I take away the ACS agent, is there a way to assign another server so that I can offload logs for easy access?

Thanks

DWane

You can go through following link for the feature that you'll loose,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

If you are talking about the logs i.e. Pass, Fail, Radius/Tacacs accounting etc.

If you wish to not have Remote Agent even for logging, then you can make use of Syslogging feature, and send the syslogs to a syslog server.

Regards,

Prem

Please rate if it helps!

So I can keep a Remote Agent for Logging and still use the LDAP feature?

Thanks I will have to look through the links a tad more.

Dwane

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

Prem,

I appreciate hte help. I have configured this and of course, I am having issues.

I have configured the device to connect to the LDAP server. I have created a bind password on the actual LDAP server.

From the ACS server, I can do a telnet 389 and it will go.

From the ASA, I do a test aaa-server authentication radiusgroup host radiusserver username me password mypassword.

It will just not allow me to authenticate. Are there logs on the ACS besides failed authentication that I can check to see why?

Does anyone have any ideas?

Dwane

Can anyone confirm that the Atributes above works with Microsoft AD and LDAP?

Best regards

Kasper

Kasper,

I am getting ready to set this up. I will let you know if the syntax for this setup is correct.

My question is, does anyone know of a "how to configure LDAP with ACS" example. When I go to the unknown policies on ACS, there are many things to configure such as the Domain Filter, primary and secondary LDAP servers.

Where do I find all this information and what does each do?

Dwane

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: