Filter
Top Products
14-7
Cisco ASDM User Guide
OL-16647-01
Chapter 14 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
LDAP Server Types
The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA
System Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active
Directory, and other LDAPv3 directory servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft Active Directory,
a Sun LDAP directory server, or a generic LDAPv3 directory server. However, if auto-detection fails to
determine the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP
server, you can manually configure the server type.
Note • Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
• Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
• Generic—The security appliance does not support password management with a generic LDAPv3
directory server.
Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP
server which returns LDAP attributes. These attributes generally include authorization data that applies
to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.
SSO Support for WebVPN with HTTP Forms
The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of
WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only
once to access multiple protected services and Web servers. The WebVPN server running on the security
appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN
server sends an SSO authentication request, including username and password, to the authenticating
server using HTTPS. If the server approves the authentication request, it returns an SSO authentication
cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it
to authenticate the user to secure websites within the domain protected by the SSO server.
In addition to the HTTP Form protocol, WebVPN administrators can choose to configure SSO with the
HTTP Basic and NTLM authentication protocols (the auto-signon command), or with Computer
Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth
discussion of configuring SSO with either HTTP Forms, auto-signon or SiteMinder, see the Clientless
SSL VPN chapter.