Support User Manuals

Cisco Systems ASA 5580 Network Router User Manual

Open as PDF

of 2086

38-18

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter 38 Configuring AAA Servers and the Local Database

Configuring AAA

Login DN The ASA uses the Login Distinguished Name (DN) and Login Password

to establish trust (bind) with an LDAP server. The Login DN represents

a user record in the LDAP server that the administrator uses for binding.

When binding, the ASA authenticates to the server using the Login DN

and the Login password. When performing a Microsoft Active Directory

read-only operation (such as authentication, authorization, or

group-search), the ASA can bind with a Login DN with fewer privileges.

For example, the Login DN can be a user whose AD “Member Of”

designation is part of Domain Users. For VPN password management

operations, the Login DN needs elevated privileges and must be part of

the Account Operators AD group.

The following is an example of a Login DN:

cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com

The ASA supports:

• Simple LDAP authentication with an unencrypted password on port

389

• Secure LDAP (LDAP-S) on port 636

• Simple Authentication and Security Layer (SASL) MD5

• SASL Kerberos

The ASA does not support anonymous authentication.

Login Password The password for the Login DN user account. The characters that you

type are replaced with asterisks.

LDAP Attribute Map The LDAP attribute maps that you can apply to LDAP server. Used to

map Cisco attribute names to user-defined attribute names and values.

For more information, see the “Adding an Authentication Prompt”

section on page 38-26.

SASL MD5 authentication

check box

When checked, the MD5 mechanism of the SASL authenticates

communications between the ASA and the LDAP server.

SASL Kerberos

authentication

When checked, the Kerberos mechanism of the SASL secures

authentication communications between the ASA and the LDAP server.

Kerberos Server Group The Kerberos server or server group used for authentication. The

Kerberos Server group option is disabled by default and is enabled only

when SASL Kerberos authentication is chosen.

Group Base DN Used only for Active Directory servers using the LDAP protocol. This

DN specifies the location in the LDAP hierarchy to begin searching for

the AD groups (that is, the list of memberOf enumerations). If this field

is not configured, the ASA uses the Base DN for AD group retrieval.

ASDM uses the list of retrieved AD groups to define AAA selection

criteria for dynamic access policies. For more information, see the show

ad-groups command.

Group Search Timeout Specifies the maximum time to wait for a response from an AD server

that was queried for available groups.

Field Description

previous next