as far as I know, ACS does not support LDAP (well it does support an LDAP backend, i.e. it can function as an LDAP client - but not as an LDAP server).
So your options are:
1- do not use ACS, but use an LDAP server instead (OpenLDAP, Microsoft AD, ...)
2- do not use LDAP, use RADIUS for authorization. However since the Radius protocol does not know the concept of authorization, the ASA will send a Radius authentication request - the username is derived from the certificate (you've probably already configured that part) but since it doesn't query the user for a password, it will either use a common password (i.e. all users on ACS need to have the same password) or it will use the username as password (so all users on ACS need to have their password set to their username). Your choice, but probably not what you want if you already have an ACS with a user db that is also used for other access control.
3- use certificate + RADIUS authentication - the user will have to enter his username and password but then you can use your existing ACS database where every user has its unique password.
That's my main problem: I don't know what passwords is deliverd to the ACS server. I've tried to create a local ACS user with the password equal to the username: without success. I can't figure out what you have described as "common password"... Do you have a hint for me?
Coud TACACS+ be an alternative solution for my problem?
I just did a quick test with a user on ACS with the password the same as the username, and then used the "test aaa" command on the ASA, and it worked fine. Did not try it yet with an actual sslvpn session with certificates. Perhaps the certificate to username mapping is not set up correctly? You can check the ACS logs to see which username the ASA is sending.
By default, ASA will use the CN from the certificate as the username. If you want to use something else, use the username-from-certificate command in tunnel-group general-attributes mode.
For the password: if you wish to use a common password instead, configure this:
aaa-server (inside) host x.x.x.x radius-common-pw
As for Tacacs+, good question and to be honest I don't know. Will try it in the lab if I find some more free time
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...