Configuring authorization with ldap for vpn – Cisco ASA 5505 User Manual

Page 696

Advertising
background image

35-16

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Configuring AAA

hostname(config)# aaa-server AuthOutbound protocol radius

hostname(config-aaa-server-group)# exit

hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3

hostname(config-aaa-server-host)# key RadUauthKey

hostname(config-aaa-server-host)# exit

hostname(config)# aaa-server NTAuth protocol nt

hostname(config-aaa-server-group)# exit

hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4

hostname(config-aaa-server-host)# nt-auth-domain-controller primary1

hostname(config-aaa-server-host)# exit

Example 35-2

shows how to configure a Kerberos AAA server group named watchdogs, add a AAA

server to the group, and define the Kerberos realm for the server. Because

Example 35-2

does not define

a retry interval or the port that the Kerberos server listens to, the ASA uses the default values for these
two server-specific parameters.

Table 35-2

lists the default values for all AAA server host mode

commands.

Note

Kerberos realm names use numbers and upper-case letters only. Although the ASA accepts lower-case
letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure to use
upper-case letters only.

Example 35-2 Kerberos Server Group and Server

hostname(config)# aaa-server watchdogs protocol kerberos

hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4

hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM

hostname(config-aaa-server-host)# exit

hostname(config)#

Configuring Authorization with LDAP for VPN

When user LDAP authentication for VPN access has succeeded, the ASA queries the LDAP server which
returns LDAP attributes. These attributes generally include authorization data that applies to the VPN
session. Thus, using LDAP accomplishes authentication and authorization in a single step.

There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals