ldap configuration on active directory

Unanswered Question
Feb 12th, 2010

Dear Sir,

I am implementing a cisco nac solution.I would like to perform active directory sso so that users could log in once into the network.I will also set up an LDAP Lookup server on the nac because i want to configure mapping rules so that users are placed into user roles based on AD attributes after AD SSO authentication.

After this is done my issue is:

1- How do i configure that LDAP Lookup server itself (i am not talking about the config on the nac side, that is not a problem)  ? A step by step instruction will be appreciated.

2- Should the config be done on a separate server or on the same active directory server ?

3-This single sign on could it work for wireless and vpn clients ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Faisal Sehbai Fri, 02/12/2010 - 11:20


You don't need to do anything on the AD side for LDAP setup. It already is a LDAP server. All configs for LDAP auth/lookup are done on NAC side. You do require a user which read rights on the LDAP tree, so creating a user specifically for this purpose is the only thing you might need to do.

Also Wireless/VPN SSO is separate, and relies on Radius accounting. Completely different things than AD SSO.



kolawole1 Sat, 02/13/2010 - 11:52

Thanks for the answer.

About wireless sso, can i use the ldap feature of active directory to do wireless sso ?

I am concerned about wireless (non cisco APs) clients logging in twice.

Even if i choose a radius server, they will still login twice (to the network and then to active directory) as the nac authentication is based on active directory sso.

Any suggestion ??


Faisal Sehbai Sat, 02/13/2010 - 19:26


The only wireless SSO supported is using Radius accounting. NAC takes the information from the accounting packets and logs in that user in CCA.

You could theoratically do both AD SSO and Wireless SSO, but it would be tricky depending on when the clients get their kerberos ticket and how the timing plays out. If they don't get the kerberos tickets in time, then the session would be a cached one, and AD SSO wouldn't work in that instance, but it doesn't really make sense to use both SSOs for a single scenario.

If you're using non-cisco APs, I'm not sure how well that would work. CCA looks for Radius accounting start packets, so theoratically it can work with non-Cisco APs; It just won't be supported and isn't tested.




This Discussion