ACS 5.x: LDAP Server Configuration Example

Similar documents
Managing External Identity Sources

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

LDAP/AD v1.0 User Guide

Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server

How to Configure Authentication and Access Control (AAA)

Realms and Identity Policies

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

Configuring the VPN Client 3.x to Get a Digital Certificate

Active Directory 2000 Plugin Installation for Cisco CallManager

Wireless LAN Controller Web Authentication Configuration Example

User Management in Resource Manager

Realms and Identity Policies

NAT Support for Multiple Pools Using Route Maps

Realms and Identity Policies

Configuring Vulnerability Assessment Devices

Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

LDAP Configuration Guide

Using NAT in Overlapping Networks

Getting Started With Authentication Servers

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Managing Certificates

User Databases. ACS Internal Database CHAPTER

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Integrating Cisco CallManager IVR and Active Directory

Securing LDAP Directory Integration with Cisco Unified CallManager 4.x

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

Directory Integration with VMware Identity Manager

LDAP Servers for AAA

Import Users From LDAP Directory

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Manage Administrators and Admin Access Policies

WebView and IIS Connection Timeouts

User Migration Tool. User Migration Tool Prerequisites

Install and Configure the TS Agent

Cisco Expressway Authenticating Accounts Using LDAP

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Wired Dot1x Version 1.05 Configuration Guide

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

BusinessObjects Enterprise XI

How to Integrate an External Authentication Server

Configuring Cisco TelePresence Manager

Cisco Secure Desktop (CSD) on IOS Configuration Example using SDM

CLI users are not listed on the Cisco Prime Collaboration User Management page.

LDAP Synchronization

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Installing the Cisco Unified CallManager Customer Directory Plugin Release 4.3(1)

Configure WLC with LDAP Authentication for 802.1x and Web-Auth WLANs

IPCC: Lightweight Directory Access Protocol (LDAP) Troubleshooting Guide

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Configuring Cisco Unified Presence for Integration with Microsoft Exchange Server

Configuring Pentaho with LDAP or Active Directory

VMware AirWatch Certificate Authentication for EAS with ADCS

User Accounts for Management Access

Configuring Security Features on an External AAA Server

Remote Authentication

Tune the CTC HEAP Variables on the PC to Improve CTC Performance

Novell Kerberos Login Method for NMASTM

VMware Identity Manager Administration

Lab 5.6b Configuring AAA and RADIUS

Remote Support Security Provider Integration: RADIUS Server

Blue Coat Security First Steps Solution for Integrating Authentication Using LDAP

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Cisco TelePresence Management Suite Provisioning Extension

IPv6 Support for LDAP

Using ANM With Virtual Data Centers

Configuring the Cisco VPN 3000 Concentrator 4.7.x to Get a Digital Certificate and a SSL Certificate

Lock and Key: Dynamic Access Lists

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Manage Administrators and Admin Access Policies

Manage Administrators and Admin Access Policies

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

Host Access Management and Security Server Administrative Console Users Guide. August 2016

vcloud Director User's Guide

UCS Uplink Ethernet Connection Configuration Example

Authenticating Cisco VCS accounts using LDAP

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

TrueSight Capacity Optimization 10.x - LDAP Integration with Microsoft Active Directory. January 2017

Configuring SAML-based Single Sign-on for Informatica Web Applications

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Migrating from IBM Lotus Domino to Zimbra Collaboration Suite

EveryonePrint Integration with Equitrac. Configuration Guide. EveryonePrint Integration with Equitrac Page 1 of 14

Data Center Network Manager (DCNM) with SFTP Switch Configuration Backup

VII. Corente Services SSL Client

Configuring LDAP. Finding Feature Information

User Identity Sources

Troubleshooting IMAP Clients and ViewMail for Outlook

CallManager Configuration Requirements for IPCC

Setting Up Resources in VMware Identity Manager

Creating Column Profiles on LDAP Data Objects

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Setting Up the Sensor

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Transcription:

ACS 5.x: LDAP Server Configuration Example Document ID: 113473 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Directory Service Authentication Using LDAP LDAP Connection Management Configure Configure ACS 5.x for LDAP Configure the Identity Store Troubleshoot Related Information Introduction Lightweight Directory Access Protocol (LDAP) is a networking protocol for querying and modifying directory services that run on TCP/IP and UDP. LDAP is a lightweight mechanism for accessing an x.500 based directory server. RFC 2251 defines LDAP. Cisco Secure Access Control System (ACS) 5.x integrates with an LDAP external database (also called an identity store) by using the LDAP protocol. There are two methods used to connect to the LDAP server: plain text (simple) and SSL (encrypted) connection. ACS 5.x can be configured to connect to the LDAP server using both of these methods. This document provides a configuration example for connecting ACS 5.x to an LDAP server using a simple connection. Prerequisites Requirements This document assumes that the ACS 5.x has an IP connection to the LDAP server and that port TCP 389 is open. By default, the Microsoft Active Directory LDAP server is configured to accept LDAP connections on port TCP 389. If you are using any other LDAP server, make sure that it is up and running and accepting connections on port TCP 389. Components Used The information in this document is based on these software and hardware versions: Cisco Secure ACS 5.x Microsoft Active Directory LDAP server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Background Information Directory Service The directory service is a software application or set of applications used to store and organize information about a computer network's users and network resources. You can use the directory service in order to manage user access to these resources. The LDAP directory service is based on a client server model. A client connects to an LDAP server in order to start an LDAP session, and sends operation requests to the server. The server then sends its responses. One or more LDAP servers contain data from the LDAP directory tree or the LDAP back end database. The directory service manages the directory, which is the database that holds the information. Directory services use a distributed model in order to store information, and that information is usually replicated between directory servers. An LDAP directory is organized in a simple tree hierarchy and can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An entry in the tree contains a set of attributes, where each attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema. Each entry has a unique identifier called its Distinguished Name (DN). This name contains the Relative Distinguished Name (RDN) constructed from attributes in the entry, followed by the parent entry's DN. You can think of the DN as a full filename, and the RDN as a relative filename in a folder. Authentication Using LDAP ACS 5.x can authenticate a principal against an LDAP identity store by performing a bind operation on the directory server in order to find and authenticate the principal. If authentication succeeds, ACS can retrieve groups and attributes that belong to the principal. The attributes to retrieve can be configured in the ACS web interface (LDAP pages). These groups and attributes can be used by ACS in order to authorize the principal. In order to authenticate a user or query the LDAP identity store, ACS connects to the LDAP server and maintains a connection pool. See LDAP Connection Management. LDAP Connection Management ACS 5.x supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined

according to the maximum number of administration connections configured for each server. ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened. If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and attempts to renew the connection. After the authentication process is complete, the connection manager releases the connection to the connection manager. For more information, refer to ACS 5.X User Guide. Configure In this section, you are presented with the information to configure the features described in this document. Configure ACS 5.x for LDAP Complete these steps in order to configure ACS 5.x for LDAP: 1. Choose Users and Identity Stores > External Identity Stores > LDAP, and click Create in order to create a new LDAP connection. 2. In the General tab, provide the Name and Description (optional) for the new LDAP, and click Next. 3. In the Server Connection tab under the Primary Server section, provide the Hostname, Port, Admin

DN, and Password. Click Test Bind To Server. Note: The IANA assigned port number for LDAP is TCP 389. However, confirm the port number that your LDAP server is using from your LDAP Admin. The Admin DN and Password should be provided to you by your LDAP Admin. Your Admin DN should have read all permissions on all the OUs on the LDAP server. 4. This image shows that the Connection Test Bind to the server was successful. Note: If the Test Bind is not successful, re verify the Hostname, Port number, Admin DN, and Password from your LDAP Administrator. 5. Click Next.

6. Provide the required details in the Directory Organization tab under the Schema section. Similarly, provide the required information under the Directory Structure section as provided by your LDAP Admin. Click Test Configuration. 7. This image shows that the Configuration Test is successful.

Note: If the Configuration Test is not successful, re verify the parameters provided in the Schema and the Directory Structure from your LDAP Administrator. 8. Click Finish. 9. The LDAP server is created successfully.

Configure the Identity Store Compete the steps in order to configure the Identity Store: 1. Choose Access Policies > Access Services > Service Selection Rules, and verify which service is going to use the LDAP server for Authentication. In this example, the LDAP Server Authentication uses the Default Network Access service. 2. Once you have verified the service in Step 1, go to the particular service and click Allowed Protocols. Make sure that Allow PAP/ASCII is selected, and click Submit. Note: You can have other authentication protocols selected along with Allow PAP/ASCII. 3. Click on the service identified in Step 1, and click Identity. Click Select to the right of the Identity Source field.

4. Select the newly created LDAP Server (myldap, in this example), and click OK. 5. Click Save Changes. 6. Go to the Authorization section of the service identified in Step 1, and make sure that there is at least one Rule that permits Authentication.

Troubleshoot ACS sends a bind request to authenticate the user against an LDAP server. The bind request contains the user's DN and user password in clear text. A user is authenticated when the user's DN and password matches the username and password in the LDAP directory. Authentication Errors ACS logs authentication errors in the ACS log files. Initialization Errors Use the LDAP server timeout settings in order to configure the number of seconds that ACS waits for a response from an LDAP server before determining that the connection or authentication on that server has failed. Possible reasons for an LDAP server to return an initialization error are: LDAP is not supported The server is down The server is out of memory The user has no privileges Incorrect administrator credentials are configured Bind Errors Possible reasons for an LDAP server to return bind (authentication) errors are: Filtering errors A search using filter criteria fails Parameter errors Invalid parameters were entered User account is restricted (disabled, locked out, expired, password expired, and so on) These errors are logged as external resource errors, indicating a possible problem with the LDAP server: A connection error occurred The timeout expired The server is down The server is out of memory The A user does not exist in the database error is logged as an Unknown User error. The An invalid password was entered error is logged as an Invalid Password error, where the user exists, but the password sent is invalid. Related Information Cisco Secure Access Control System Requests for Comments (RFCs) Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Mar 20, 2012 Document ID: 113473

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback