Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
241242243244245246247248249250
7-16
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers
Adding an Authentication Provider
LDAP
Note This section describes the general steps to configure an LDAP authentication provider. You can also use
these steps to configure SIMPLE or GSSAPI authentication for an LDAP Lookup Server, which is used
for authorization when configuring AD SSO. For details on configuring AD SSO, refer to the Cisco NAC
Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
An LDAP auth provider in the Clean Access Manager can be used to authenticate users against a
Microsoft Active Directory server. See Authenticating Against a Backend Active Directory, page 7-28
for details. You can configure the LDAP server to use one of two authentication mechanisms:
SIMPLE—The CAM and LDAP server pass user ID and password information between themselves
without encrypting the data. See Configure LDAP Server with Simple Authentication, page 7-17.
GSSAPI—(Generic Security Services Application Programming Interface) Provides an option to
encrypt user ID and password information passed between the CAM and the specified LDAP server
to help ensure privacy. See Configure LDAP Server with GSSAPI Authentication, page 7-18.
Note To ensure complete DNS capability when using GSSAPI, you must ensure that all Domain
Controllers, child domains, and hosts conform to strict DNS naming conventions and that
you have the ability to perform both forward- and reverse-DNS.
In Cisco NAC Appliance, you can configure one LDAP auth provider using the GSSAPI
authentication method and one Kerberos auth provider, but only one of the two can be active
at any time. See Kerberos, page 7-5 for more information.
For LDAP over GSSAPI functions with FIPS 140-2 compliant CAMs, you must ensure that
hosts are running Windows 2008 Server to support secure authentication sessions between
external resources and FIPS-compliant appliances.
Note Cisco NAC Appliance performs standard search and bind authentication. For LDAP, if Search(Admin)
Username/Search(Admin) Password is not specified, Cisco NAC Appliance attempts anonymous bind.