Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS - LDAP or AD

Hi PPL,

Currently i have 4 ACS's synced with AD.

Due to security concern we thinking of going to LDAP.

I can't find exactly what i'll lose/gain on each method.

Can someone provide more information ?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

ACS - LDAP or AD

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
3 REPLIES

ACS - LDAP or AD

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS - LDAP or AD

So it look like not much of cons to working with LDAP, right ?

Can I still use groups ?

Silver

ACS - LDAP or AD

Yes, you can use groups, not many cons, As Tarik mentioned MSCHAP is the only major let down.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1140082

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
151
Views
10
Helpful
3
Replies
CreatePlease to create content