Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

understanding LDAP and authorization

I'm working on a ASA and integrating it into active directory for the first time and am having trouble understanding some of the AAA concepts.

if I set the AAA settings for VPN tunnel access to use LDAP authentication and authorization, I can use a domain account to log in just fine. However if I make a change in the Active Directory to not allow remote access for that account, it still allows access...

if I set the AAA settings for VPN tunnel access to use RADIUS authentication and authorization (the RADIUS is integrated into AD already), I can log in just fine and I can then allow/deny VPN access using Active Directory account's remote access properties.

I'm confused, isn't "authorization" the part that should look into the active directory for settings? and isn't "authentication" just the process of looking up the username/password? if this is correct, based on the documentation that LDAP supports authorization, but not authentication, it should be picking up these settings, but doesn't.

my second misunderstanding is if I have to resort to a RADIUS server for active directory integration, why would anyone bother to setup LDAP directly to the AD, when all it seems to do is a username/password check?

thanks for any help, just trying to understand.


Re: understanding LDAP and authorization


You're sort of correct... in theory LDAP could be used to authorise for AAA - but to my knowledge no AAA server yet supports this.

ACS almost does, in as much as it can map from the users LDAP group membership to an ACS group. But this is far from actually retrieving the data from LDAP itself.

Remember also, that LDAP only offers quite simple authentication protocols... basically PAP. We tried long and hard to get LDAP vendors to support MSCHAP. The reason being that there were 1000s of customers wanting LEAP wireless against their LDAP database.

So the AAA server is still a required component in order to map between the AAA world of protocols and packets and the LDAP world of users and groups.

Make any sense?


New Member

Re: understanding LDAP and authorization

Thanks for the reply!

but if the only thing LDAP will really accomplish is mapping users to groups, isn't that an authentication function (which is supposedly not supported).

I almost suspect that the ASA documentation is backward. where they say authorization is supported and authentication isn't, it should be the other way around. since as you say, it'll map users to groups, but no real data comes out of active directory, it seems this fits into the definition of authentication.

CreatePlease to create content