Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
9
Helpful
3
Replies

ldap configuration on active directory

kolawole1
Level 1
Level 1

‎02-12-2010 10:56 AM - edited ‎03-09-2019 10:49 PM

Dear Sir,

I am implementing a cisco nac solution.I would like to perform active directory sso so that users could log in once into the network.I will also set up an LDAP Lookup server on the nac because i want to configure mapping rules so that users are placed into user roles based on AD attributes after AD SSO authentication.

After this is done my issue is:

1- How do i configure that LDAP Lookup server itself (i am not talking about the config on the nac side, that is not a problem)  ? A step by step instruction will be appreciated.

2- Should the config be done on a separate server or on the same active directory server ?

3-This single sign on could it work for wireless and vpn clients ?

Thanks.

Labels:
0 Helpful
3 Replies 3

Faisal Sehbai
Level 7
Level 7

‎02-12-2010 11:20 AM

Hi,

You don't need to do anything on the AD side for LDAP setup. It already is a LDAP server. All configs for LDAP auth/lookup are done on NAC side. You do require a user which read rights on the LDAP tree, so creating a user specifically for this purpose is the only thing you might need to do.

Also Wireless/VPN SSO is separate, and relies on Radius accounting. Completely different things than AD SSO.

HTH,

Faisal

kolawole1
Level 1
Level 1
In response to Faisal Sehbai

‎02-13-2010 11:52 AM

Thanks for the answer.

About wireless sso, can i use the ldap feature of active directory to do wireless sso ?

I am concerned about wireless (non cisco APs) clients logging in twice.

Even if i choose a radius server, they will still login twice (to the network and then to active directory) as the nac authentication is based on active directory sso.

Any suggestion ??

Thanks.

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to kolawole1

‎02-13-2010 07:26 PM

Hello,

The only wireless SSO supported is using Radius accounting. NAC takes the information from the accounting packets and logs in that user in CCA.

You could theoratically do both AD SSO and Wireless SSO, but it would be tricky depending on when the clients get their kerberos ticket and how the timing plays out. If they don't get the kerberos tickets in time, then the session would be a cached one, and AD SSO wouldn't work in that instance, but it doesn't really make sense to use both SSOs for a single scenario.

If you're using non-cisco APs, I'm not sure how well that would work. CCA looks for Radius accounting start packets, so theoratically it can work with non-Cisco APs; It just won't be supported and isn't tested.

HTH,

Faisal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents