09-10-2008 09:50 AM - edited 03-10-2019 04:04 PM
I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?
Thanks
Dwane
Solved! Go to Solution.
09-16-2008 05:27 AM
yups, you can keep the RA for only logging and have authentication using LDAP separately.
Regards,
Prem
Please rate if this helps!
09-15-2008 03:19 PM
Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.
As it would be LDAP, please consult following matrix for the features available,
Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).
User directory and group directory subtree would be your AD root.
<--for example-->
User Directory Subtree : DC=domain,DC=com
Group Directory Subtree : DC=domain,DC=com
<--below info is common for all AD-->
UserObjectType : samaccountname
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : memberof
Hostname :
Port : 3268
Admin DN : Administrator@domain.com
Password :
If this is a new installation, then go for 4.2 :)
Regards,
Prem
Please rate if it helps!
09-16-2008 05:16 AM
Prem,
What features would I lose? Also, if I take away the ACS agent, is there a way to assign another server so that I can offload logs for easy access?
Thanks
DWane
09-16-2008 05:23 AM
You can go through following link for the feature that you'll loose,
If you are talking about the logs i.e. Pass, Fail, Radius/Tacacs accounting etc.
If you wish to not have Remote Agent even for logging, then you can make use of Syslogging feature, and send the syslogs to a syslog server.
Regards,
Prem
Please rate if it helps!
09-16-2008 05:25 AM
So I can keep a Remote Agent for Logging and still use the LDAP feature?
Thanks I will have to look through the links a tad more.
Dwane
09-16-2008 05:27 AM
yups, you can keep the RA for only logging and have authentication using LDAP separately.
Regards,
Prem
Please rate if this helps!
12-17-2008 09:59 AM
Prem,
I appreciate hte help. I have configured this and of course, I am having issues.
I have configured the device to connect to the LDAP server. I have created a bind password on the actual LDAP server.
From the ACS server, I can do a telnet
From the ASA, I do a test aaa-server authentication radiusgroup host radiusserver username me password mypassword.
It will just not allow me to authenticate. Are there logs on the ACS besides failed authentication that I can check to see why?
Does anyone have any ideas?
Dwane
10-17-2008 03:45 AM
Can anyone confirm that the Atributes above works with Microsoft AD and LDAP?
Best regards
Kasper
10-23-2008 09:23 AM
Kasper,
I am getting ready to set this up. I will let you know if the syntax for this setup is correct.
My question is, does anyone know of a "how to configure LDAP with ACS" example. When I go to the unknown policies on ACS, there are many things to configure such as the Domain Filter, primary and secondary LDAP servers.
Where do I find all this information and what does each do?
Dwane
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: