AAA authentication with external databse ldap (2003 Windows server)

Unanswered Question
Aug 26th, 2009

Hi,

Can any one help to enable ldap support for acs box. and also how to configure windows server to support ldap authenticationn?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Erick Delgado Wed, 08/26/2009 - 10:31

Hi,

Please see documentation below.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html

I also have some guidelines made by myself

I have attached the proper configuration for LDAP to communicate with the AD. To be clear, on the Windows Server we need to install a LDAP application. I would recommend LDAP Browser version 2.6 which you can get from Google. It is free. I just recreated your scenario with it, and I got it working.

After you get the LDAP Browser installed on the Windows Server, open the application. Click on Create a New Connection. It will open a wizard (refer to LDAPBrowser1.jpg). Set the hostname as the Windows Server ip address. On the port, type 3268. For the Base DN, click on Fetch DNs. If you get more than one, select the one that only refers to your domain name. In my case, my domain is: CAMEJIAS.LOCAL, so I selected: DC=CAMEJIAS,DC=LOCAL. Please, remember this Base DN as you will need it on the ACS. After you finish this setup, click on Test Connection. You should not move forward if the test failed.

If connection is successful, click Next. On the next screen (refer to LDAPBrowser2.jpg), select Simple Authentication. Under Bind DN, you will have to copy the LDAP admin (any user on the AD) DN. In my case, the admin would be an user named "ldap" on the AD. I opened a Command Prompt on the Windows server and typed: dsquery user -samid ldap It returned me:

CN=ldap,CN=Users,DC=CAMEJIAS,DC=LOCAL

That is what you need to paste under Bind DN. Please, remember this Bind DN as you will need it on the ACS. Under password, just type the user's password.

Click on Check Credentials. If the test was not successful you should not move forward.

If everything goes fine, just click finish.

Now on the ACS (refer to LDAPConfig.jpg), under the LDAP configuration, Common LDAP Configuration: on the first 2 fields, use the same Base DN that you used on the LDAP browser. In my case it would be: DC=CAMEJIAS,DC=LOCAL.

On the other fields, under Common LDAP Configuration, type the same attributes that you see on the screenshot LDAPConfig.jpg.

Under Primary LDAP Server, type the Windows Server IP address. On the port

type: 3268. Under Admin DN use the same Bind DN that you used on the LDAP browser. In my case it would be: CN=ldap,CN=Users,DC=CAMEJIAS,DC=LOCAL.

Under password type the user's password.

Submit the changes, go to Database Group Mapping, and let me know how this works.

sandeep.waghchoure Fri, 08/28/2009 - 04:59

Hi,

very much thanks for ur promt reply

100 out of 100

i can now connect to ad through ldap

i can also map the groups in acs server under extenal databse configuration.

but again new problem is arise.

now when i try to authenticate unknown user with external datbase with ldap support its shows me the error like follws

"authentication not supported by external database"

Can u please help me to solve this problem?

Erick Delgado Fri, 08/28/2009 - 08:41

What kind of authentication are you trying?

Are you trying EAP? IF yes EAP is not support by

LDAP only for AD.

sandeep.waghchoure Sun, 08/30/2009 - 08:48

Hi,

Thanks for promy reply

Actually i m using a evalution copy of acs 4.2 for demo purpose to the customer and i m not getting any option for enable the pap protocol in acs config.

Can u guide me how to enable the PAP protocol support in ACS config and i need to change any config on my windows server for this type of authentication?

Jatin Katyal Mon, 08/31/2009 - 07:21

Since you are using external user database so this PAP should be supported by your back-end database. You don't need to enable this on ACS.

I am guessing when NAS send PAP request to ACS for a user, ACS sees the user is on a database that doesn't support PAP, and therefore drop the PAP message and spit out the "Auth type not supported on External dB" message.

What kind of back-end database you have ...sounds like novell NDS or LDAP?

HTH

Regards,

JK

sandeep.waghchoure Tue, 09/01/2009 - 22:48

hI,

thanks for reply

Actually i tell u wht i done so far,

One windows 2003 server with ads and ACS evalution copy install on windows 2000 server and one windows XP machine connected all these devices to the 3750 switch.

As per ur instruction i installed Softerra LDAP Browser 2.6 on ACS server and i can also connect to the Windows AD through ldap protocol succesfully.I can also map the group in acs external datbase config.

I also enable 802.1x authentication on windows xp machine with "md5" option. All the basic steps are done properly.When i connect the xp machine to the switch user prompt for authetication, but authetication failed on user side.

i m actually does not know any thing abt windows, ldap database,how to creat ldap database on Windows AD etc.

there is any config on windows AD to creat LDAP database? or how to creat novel NDS database?

i m not done any config on windows AD for Ldap database.

Please help me

Jatin Katyal Thu, 09/03/2009 - 04:22

This is not working because you are using EAP-MD5 and that is not supported by windows database (AD), LDAP and Novell NDS. I would suggest you to use EAP-TLS with windows database (best and secure).

Also, you can't use PEAP (Inner method) MSchapv2 with LDAP/Novell NDS.

HTH

Regards,

JK

sandeep.waghchoure Fri, 09/04/2009 - 06:32

hi,

thanks for reply

But when i try to enable eap-tls on ACS its asking for certificate and throw the error.

any thing i required to enable eap-tls on acs config?

Jatin Katyal Fri, 09/04/2009 - 06:48

Hi Sandeep,

Yes, Since this is certificate based authentication. you would be required cert's on the ACS and client machines.

You may refer this

Configuring EAP-TLS

===================

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

Different scenarios

===================

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

HTH

Regards,

JK

Actions

This Discussion