Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
241242243244245246247248249250
7-18
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers
Adding an Authentication Provider
Step 6 Server version—The LDAP version. Supported types include Version 2 and Version 3. Leave as Auto
(default) to have the server version automatically detected.
Step 7 Search Base Context—The root of the LDAP tree in which to perform the search for users (e.g.
dc=cisco, dc=com).
Step 8 Search Filter—The attribute to be authenticated (e.g., uid=$user$, or sAMAccountName=$user$).
Step 9 Referral—Whether referral entries are managed (in which the LDAP server returns referral entries as
ordinary entries) or returned as handles (Handle(Follow)). The default is Manage(Ignore).
Step 10 DerefLink—If ON, object aliases returned as search results are de-referenced, that is, the actual object
that the alias refers to is returned as the search result, not the alias itself. The default is OFF.
Step 11 DerefAlias—Options are Always (default), Never, Finding, Searching.
Step 12 Security Type—Whether the connection to the LDAP server uses SSL. The default is None.
Note If the LDAP server uses SSL, be sure to import the certificate using the Import Certificate
option on the Administration > CCA Manager > SSL > X509 Certificate page.
Step 13 Default Role—Choose the user role assigned to users authenticated by this provider. This default role
is used if not overridden by a role assignment based on MAC address or IP address, or if LDAP mapping
rules do not result in a successful match.
Step 14 Specify the Authentication Mechanism to be SIMPLE.
Step 15 Search(Admin) Full DN—The Search(Admin) user can be an LDAP administrator or a basic user. If
using LDAP to connect to an AD server, the Search(Admin) Full DN (distinguished name) must be the
DN of an AD user account and the first CN (common name) entry should be an AD user with read
privileges. (See Figure 7-11.)
cn= jane doe, cn=users, dc=cisco, dc=com
Step 16 Search(Admin) Password—The password for the LDAP user.
Step 17 Click Add Server.
Configure LDAP Server with GSSAPI Authentication
Note In Cisco NAC Appliance, you can configure one LDAP auth provider using the GSSAPI authentication
method and one Kerberos auth provider, but only one of the two can be active at any time. See Kerberos,
page 7-5 for more information.
Note For LDAP over GSSAPI functions with FIPS 140-2 compliant CAMs, you must ensure that hosts are
running Windows 2008 Server to support secure authentication sessions between external resources and
FIPS-compliant appliances.