Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using LDAP on ACS 4.1.1 appliance

I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?

Thanks

Dwane

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Using LDAP on ACS 4.1.1 appliance

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

8 REPLIES

Re: Using LDAP on ACS 4.1.1 appliance

Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.

As it would be LDAP, please consult following matrix for the features available,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).

User directory and group directory subtree would be your AD root.

<--for example-->

User Directory Subtree : DC=domain,DC=com

Group Directory Subtree : DC=domain,DC=com

<--below info is common for all AD-->

UserObjectType : samaccountname

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : memberof

Hostname :

Port : 3268

Admin DN : Administrator@domain.com

Password :

If this is a new installation, then go for 4.2 :)

Regards,

Prem

Please rate if it helps!

New Member

Re: Using LDAP on ACS 4.1.1 appliance

Prem,

What features would I lose? Also, if I take away the ACS agent, is there a way to assign another server so that I can offload logs for easy access?

Thanks

DWane

Re: Using LDAP on ACS 4.1.1 appliance

You can go through following link for the feature that you'll loose,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207

If you are talking about the logs i.e. Pass, Fail, Radius/Tacacs accounting etc.

If you wish to not have Remote Agent even for logging, then you can make use of Syslogging feature, and send the syslogs to a syslog server.

Regards,

Prem

Please rate if it helps!

New Member

Re: Using LDAP on ACS 4.1.1 appliance

So I can keep a Remote Agent for Logging and still use the LDAP feature?

Thanks I will have to look through the links a tad more.

Dwane

Re: Using LDAP on ACS 4.1.1 appliance

yups, you can keep the RA for only logging and have authentication using LDAP separately.

Regards,

Prem

Please rate if this helps!

New Member

Re: Using LDAP on ACS 4.1.1 appliance

Prem,

I appreciate hte help. I have configured this and of course, I am having issues.

I have configured the device to connect to the LDAP server. I have created a bind password on the actual LDAP server.

From the ACS server, I can do a telnet 389 and it will go.

From the ASA, I do a test aaa-server authentication radiusgroup host radiusserver username me password mypassword.

It will just not allow me to authenticate. Are there logs on the ACS besides failed authentication that I can check to see why?

Does anyone have any ideas?

Dwane

kkp
New Member

Re: Using LDAP on ACS 4.1.1 appliance

Can anyone confirm that the Atributes above works with Microsoft AD and LDAP?

Best regards

Kasper

New Member

Re: Using LDAP on ACS 4.1.1 appliance

Kasper,

I am getting ready to set this up. I will let you know if the syntax for this setup is correct.

My question is, does anyone know of a "how to configure LDAP with ACS" example. When I go to the unknown policies on ACS, there are many things to configure such as the Domain Filter, primary and secondary LDAP servers.

Where do I find all this information and what does each do?

Dwane

325
Views
5
Helpful
8
Replies