Rsa/sdi primary and replica servers, Nt server support, Kerberos server support – Cisco ASA 5505 User Manual

Page 686: Ldap server support, Authentication with ldap

Advertising
background image

35-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Information About AAA

locks the username, preventing another (replica) server from accepting it. This actions means that the
same user cannot authenticate to two ASAs using the same authentication servers simultaneously. After
a successful username lock, the ASA sends the passcode.

RSA/SDI Primary and Replica Servers

The ASA obtains the server list when the first user authenticates to the configured server, which can be
either a primary or a replica. The ASA then assigns priorities to each of the servers on the list, and
subsequent server selection is derived at random from those assigned priorities. The highest priority
servers have a higher likelihood of being selected.

NT Server Support

The ASA supports Microsoft Windows server operating systems that support NTLM Version 1,
collectively referred to as NT servers.

Note

NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated,
which is a limitation of NTLM Version 1.

Kerberos Server Support

The ASA supports 3DES, DES, and RC4 encryption types.

Note

The ASA does not support changing user passwords during tunnel negotiation. To avoid this situation
happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users
connecting to the ASA.

For a simple Kerberos server configuration example, see

Example 35-2 on page 35-16

.

LDAP Server Support

The ASA supports LDAP. This section includes the following topics:

Authentication with LDAP, page 35-6

LDAP Server Types, page 35-7

Authentication with LDAP

During authentication, the ASA acts as a client proxy to the LDAP server for the user, and authenticates
to the LDAP server in either plain text or by using the SASL protocol. By default, the ASA passes
authentication parameters, usually a username and password, to the LDAP server in plain text.

The ASA supports the following SASL mechanisms, listed in order of increasing strength:

Digest-MD5—The ASA responds to the LDAP server with an MD5 value computed from the
username and password.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals