38-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 38 Configuring AAA Servers and the Local Database
Information About AAA
You can configure the ASA and LDAP server to support any combination of these SASL mechanisms.
If you configure multiple mechanisms, the ASA retrieves the list of SASL mechanisms that are
configured on the server and sets the authentication mechanism to the strongest mechanism configured
on both the ASA and the server. For example, if both the LDAP server and the ASA support both
mechanisms, the ASA selects Kerberos, the stronger of the mechanisms.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data that is
applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single
step.
LDAP Server Types
The ASA supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System
Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory,
Novell, OpenLDAP, and other LDAPv3 directory servers.
By default, the ASA auto-detects whether it is connected to Microsoft Active Directory, Sun LDAP,
Novell, OpenLDAP, or a generic LDAPv3 directory server. However, if auto-detection fails to determine
the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP server, you
can manually configure the server type.
When configuring the server type, note the following guidelines:
• The DN configured on the ASA to access a Sun directory server must be able to access the default
password policy on that server. We recommend using the directory administrator, or a user with
directory administrator privileges, as the DN. Alternatively, you can place an ACL on the default
password policy.
• You must configure LDAP over SSL to enable password management with Microsoft Active
Directory and Sun servers.
• The ASA does not support password management with Novell, OpenLDAP, and other LDAPv3
directory servers.
• The ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust
relationship (bind) with an LDAP server. For more information, see the “Binding the ASA to the
LDAP Server” section on page B-4.
HTTP Forms Authentication for Clientless SSL VPN
The ASA can use the HTTP Form protocol for both authentication and single sign-on (SSO) operations
of Clientless SSL VPN user sessions only.
Local Database Support, Including as a Falback Method
The ASA maintains a local database that you can populate with user profiles.
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the ASA.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords on the AAA servers. This practice provides transparent
fallback support. Because the user cannot determine whether a AAA server or the local database is