Cisco Systems OL-16647-01 Network Router User Manual


  Open as PDF
of 1230
 
14-16
Cisco ASDM User Guide
OL-16647-01
Chapter 14 Configuring AAA Servers and the Local Database
Configuring AAA Server Groups
Login DN The security appliance uses the Login Distinguished Name (DN) and
Login Password to establish trust (bind) with an LDAP server. The
Login DN represents a user record in the LDAP server that the
administrator uses for binding.
When binding, the security appliance authenticates to the server using
the Login DN and the Login Password. When performing a Microsoft
Active Directory read-ony operation (such as for authentication,
authorization, or group-search), the security applicance can bind with
a Login DN with less privileges. For example, the Login DN can be a
user whose AD “Member Of” designation is part of Domain Users.
For VPN password management operations, the Login DN needs
elevated privileges and must be part of the Account Operators AD
group.
An example of a Login DN include:
cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com
The security appliance supports:
Simple LDAP authentication with an unencrypted password on
port 389
Secure LDAP (LDAP-S) on port 636
Simple Authentication and Security Layer (SASL) MD5
SASL Kerberos.
The security appliance does not support anonymous authentication.
Login Password The password for the Login DN user account. The characters you type
are replaced with asterisks.
LDAP Attribute Map The LDAP attribute maps that you can apply to LDAP server. Used to
map Cisco attribute names to user-defined attribute names and values.
See the “Configuring LDAP Attribute Maps” section on page 14-22.
SASL MD5 authentication
check box
When checked, the MD5 mechanism of the Simple Authentication and
Security Layer (SASL) authenticates communications between the
security appliance and the LDAP server.
SASL Kerberos
authentication
When checked, the Kerberos mechanism of the SASL secures
authentication communications between the security appliance and
the LDAP server.
Kerberos Server Group The Kerberos server or server group used for authentication. The
Kerberos Server group option is disabled by default and is enabled
only when SASL Kerberos authentication is chosen.
Field Description
 previous next