I am implementing a cisco nac solution.I would like to perform active directory sso so that users could log in once into the network.I will also set up an LDAP Lookup server on the nac because i want to configure mapping rules so that users are placed into user roles based on AD attributes after AD SSO authentication.
After this is done my issue is:
1- How do i configure that LDAP Lookup server itself (i am not talking about the config on the nac side, that is not a problem) ? A step by step instruction will be appreciated.
2- Should the config be done on a separate server or on the same active directory server ?
3-This single sign on could it work for wireless and vpn clients ?
You don't need to do anything on the AD side for LDAP setup. It already is a LDAP server. All configs for LDAP auth/lookup are done on NAC side. You do require a user which read rights on the LDAP tree, so creating a user specifically for this purpose is the only thing you might need to do.
Also Wireless/VPN SSO is separate, and relies on Radius accounting. Completely different things than AD SSO.
The only wireless SSO supported is using Radius accounting. NAC takes the information from the accounting packets and logs in that user in CCA.
You could theoratically do both AD SSO and Wireless SSO, but it would be tricky depending on when the clients get their kerberos ticket and how the timing plays out. If they don't get the kerberos tickets in time, then the session would be a cached one, and AD SSO wouldn't work in that instance, but it doesn't really make sense to use both SSOs for a single scenario.
If you're using non-cisco APs, I'm not sure how well that would work. CCA looks for Radius accounting start packets, so theoratically it can work with non-Cisco APs; It just won't be supported and isn't tested.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :