Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.0 user authentication with AD using LDAP EXT DB

Hello,

I've not yet understood if with ACS 4.0 is possible to configure external database authentication using Generic LDAP to connect to Windows 2003 Server Active Directory.

I spent more than 3 weeks searching for docs telling how to do this but nothing seems to be available.

Could anyone please be so kind to address me to the right way?

In detail my problem is:

when I try to connect to LDAP server (doesn't matter how I configure the connection parameters) to configure group mapping I always get "LDAP Server not Reachable. Please check the configuration"

Consider that I've checked the connection parameters making a test connection using Softerra LDAP Browser and it works fine!

I have Windows 2003 Standard Edition SP1 and Cisco ACS 4.0(1) Build 27

Any help would be greatly appreciated.

  • AAA Identity and NAC
6 REPLIES
New Member

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

Hy

I have the same interogation about the link between "LDAP AD" and ACS

and the same error :)

If you have a solution

thanks

Cisco Employee

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

Hi,

ACS has a limitation of 500 groups. If the Active Directory return more then that when usin g Generic LDAP it will display the error which is mentioned.

Please reduce the Group Directory Tree in the Generic LDAP config and we should see the groups being fetched.

I am assuming here that the rest of the configuration is perfect and ACS can reach the LDAP server.

Regards,

Vivek

New Member

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

Hello,

thanks for your reponse but in fact in my situation, i don't fetch a lot of group to achieve this limit (500)

I wonder, if it possible that you can show me, your configuration to map an LDAP Active Directory to ACS ?

like :

User Directory Subtree :

Group Directory Subtree :

UserObjectType :

UserObjectClass :

GroupObjectType :

GroupObjectClass :

Group Attribute Name :

And another question, you link an ACS to an AD LDAP base AND NOT an ACS to non microsoft LDAP base ? this is just to be sure :)

Thanks

Cisco Employee

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

Hi,

You can bind to any ldap server.

I have given below sample config from ACS-AD :-

User Directory Subtree :- dc=test,dc=com

Group Directory Subtree : dc=test,dc=com

UserObjectType : cn

UserObjectClass : Person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : member

You will need to change the group and user directory subtree as per your domain. Rest will work as given.

Regards,

Vivek

New Member

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

Ok i will test this

there is a configuration to do on the AD to accept this type of request or not ?

in fact i use the ACS to authenticate in 802.1X Computers in PEAP MS-CHAP v2

With a external database Windows in ACS its work fine but i want to test with a LDAP external database.

Thnaks for your help

New Member

Re: ACS 4.0 user authentication with AD using LDAP EXT DB

I don't think those suggested parameters for AD are correct. I've just been trying to get this to work myself and have found that these values work for our AD.

UserObjectType samaccountname

UserObjectClass user

GroupObjectType dn

GroupObjectClass group

Group Attribute Name member

It's a real pain that ACS error messages aren't properly descriptive for external LDAP. 'Cannot connect to LDAP server actually' translates to 'I'm not coded to scale easily to large directories with alot of groups'.

Can I put in a feature request to help future users of the product by having some drop down menus that fill in some defaults for popular LDAP directories like AD and E-Directory. . . . or at least some coherent documentation about it.

Without running non encrypted LDAP queries and using Wireshark I'd be nowhere.

610
Views
4
Helpful
6
Replies
This widget could not be displayed.