Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

241

242

243

244

245

246

247

248

249

250

7-20

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 7 User Management: Configuring Authentication Servers

Adding an Authentication Provider

If the first LDAP server listed does not respond within 15 seconds, the CAM then attempts to

authenticate using the alternate LDAP server(s) in the list. Every LDAP authentication request is passed

to the first server specified in the list by default. You can only input 128 characters in this field, thus

limiting the number of redundant servers you can specify.

Step 6 Server version—The LDAP version. Supported types include Version 2 and Version 3. Leave as Auto

(default) to have the server version automatically detected.

Step 7 Search Base Context—The root of the LDAP tree in which to perform the search for users (e.g.

dc=cisco, dc=com).

Step 8 Search Filter—The attribute to be authenticated (e.g., uid=$user$, or sAMAccountName=$user$).

Step 9 Referral—Whether referral entries are managed (in which the LDAP server returns referral entries as

ordinary entries) or returned as handles (Handle(Follow)). The default is Manage(Ignore).

Step 10 DerefLink—If ON, object aliases returned as search results are de-referenced, that is, the actual object

that the alias refers to is returned as the search result, not the alias itself. The default is OFF.

Step 11 DerefAlias—Options are Always (default), Never, Finding, Searching.

Step 12 Security Type—Whether the connection to the LDAP server uses SSL. The default is None.

Note If the LDAP server uses SSL, be sure to import the certificate using the Import Certificate

option on the Administration > CCA Manager > SSL > X509 Certificate page.

If you choose SSL, ensure that you provide the details in the Multiple Domain SSL tab as well.

See Multiple Domain SSL, page 7-21.

Step 13 Default Role—Choose the user role assigned to users authenticated by this provider. This default role

is used if not overridden by a role assignment based on MAC address or IP address, or if LDAP mapping

rules do not result in a successful match.

Step 14 Specify the Authentication Mechanism to be GSSAPI.

Note For LDAP over GSSAPI functions with FIPS 140-2 compliant CAMs, you must ensure that hosts are

running Windows 2008 Server to support secure authentication sessions between external resources and

FIPS-compliant appliances.

Step 15 Search(Admin) Username—If access to the directory is controlled, this field is automatically populated

with the LDAP user ID used to connect to the server (“admin” in the example illustrated in Figure 7-12).

Step 16 Search(Admin) Password—The password for the LDAP user.

Step 17 Default Realm—The realm with which the LDAP server is most commonly associated.

Step 18 KDC Timeout (in seconds)—The period of time the CAM keeps trying to connect before declaring the

specified KDC server unreachable.

Step 19 KDC/Realm Mapping—You can specify one or more mappings between LDAP server IP address/port

specifications and LDAP realms.