Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Kerberos vs ldap authentication for anyconnect clients

Hi,

I have cisco ASA that remote clients will be connecting to for VPN (using cisco client). I want users authentication to be done through active directory but really not sure which method should i use? What is advantage of one over other?.

Thanks         

3 REPLIES
Cisco Employee

Kerberos vs ldap authentication for anyconnect clients

Hi Zafar

I would say go for LDAP it give you more option than KERBROS apart from just authenticating users.

Using LDAP you can make sure only one specific group could connect using VPN.

YOu can assign group-policies on tha basis of users.

It gives you more option than kerbros.

I hope that answers your question.

Thanks

Jeet Kumar

New Member

Kerberos vs ldap authentication for anyconnect clients

Hi Jeet,

Thanks for your quick response. Can you please tell in little more detail how, when using ldap, i can make one specfic group to connect using vpn. Also you mentioned, "YOu can assign group-policies on tha basis of users.", will those group policies be applied at ASA or ldap server.

Thanks

Cisco Employee

Kerberos vs ldap authentication for anyconnect clients

Hi Zafar,

Frequently, administrators want to provide VPN users with different access permissions or WebVPN content. On the ASA this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map.

In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute.

In order to get better understanding and review the configuration example, I'd encourage you to visit the below listed link. In case you may have any query/ concern, post all your doubts here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Why we prefer ldap over kerberos. The only reason is with kerberos though you can encrypt the whole packet however it would not allow you to restrict user authorization. With LDAP, you will get this flexibility. In case you would like to configure or troubleshoot kerberos in your setup ever, don't forget to review this document:

https://supportforums.cisco.com/docs/DOC-2974

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
897
Views
9
Helpful
3
Replies
CreatePlease login to create content