I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?
Solved! Go to Solution.
Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.
As it would be LDAP, please consult following matrix for the features available,
Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).
User directory and group directory subtree would be your AD root.
User Directory Subtree : DC=domain,DC=com
Group Directory Subtree : DC=domain,DC=com
<--below info is common for all AD-->
UserObjectType : samaccountname
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : memberof
Port : 3268
Admin DN : Administrator@domain.com
If this is a new installation, then go for 4.2 :)
Please rate if it helps!
What features would I lose? Also, if I take away the ACS agent, is there a way to assign another server so that I can offload logs for easy access?
You can go through following link for the feature that you'll loose,
If you are talking about the logs i.e. Pass, Fail, Radius/Tacacs accounting etc.
If you wish to not have Remote Agent even for logging, then you can make use of Syslogging feature, and send the syslogs to a syslog server.
Please rate if it helps!
So I can keep a Remote Agent for Logging and still use the LDAP feature?
Thanks I will have to look through the links a tad more.
I appreciate hte help. I have configured this and of course, I am having issues.
I have configured the device to connect to the LDAP server. I have created a bind password on the actual LDAP server.
From the ACS server, I can do a telnet
From the ASA, I do a test aaa-server authentication radiusgroup host radiusserver username me password mypassword.
It will just not allow me to authenticate. Are there logs on the ACS besides failed authentication that I can check to see why?
Does anyone have any ideas?
I am getting ready to set this up. I will let you know if the syntax for this setup is correct.
My question is, does anyone know of a "how to configure LDAP with ACS" example. When I go to the unknown policies on ACS, there are many things to configure such as the Domain Filter, primary and secondary LDAP servers.
Where do I find all this information and what does each do?