E-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Appendix E Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Binding the Security Appliance to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to
establish a handshake via authenticated binding before they accept requests for any other LDAP
operations. The security appliance identifies itself for authenticated binding by attaching a Login DN
field to the user authentication request. The Login DN field defines the authentication characteristics of
the security appliance; these characteristics should correspond to those of a user with administration
privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=example,
dc=com.
Defining the Security Appliance LDAP Schema
Once you have decided how to structure your user information in the LDAP hierarchy, define this
organization in a schema. To define the schema, begin by defining the object class name. The class name
for the security appliance directory is cVPN3000-User-Authorization. The class has the object identifier
(OID) 1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.
Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to
reuse the class OID once you have defined it. Use the next incremental OID. For example, if you
incorrectly defined the class name as cVPN3000-Usr-Authorization with OID
1.2.840.113556.1.8000.795.1.1, you can enter the correct class name cVPN3000-User-Authorization
with the next OID, for example, 1.2.840.113556.1.8000.795.1.2.
For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP
Data Interchange Format (LDIF). This file has an extension of
.ldif, for example: schema.ldif. Other
LDAP servers use graphical user interfaces or script files to define the object class and its attributes. For
more information on LDIF, see RFC-2849.
Note • All LDAP attributes for all three appliances begin with the letters cVPN3000; for example:
cVPN3000-Access-Hours.
• The appliances enforce the LDAP attributes based on attribute name, not numeric ID. RADIUS
attributes, on the other hand, are enforced by numeric ID, not by name.
• Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined
as an authentication or authorization server will enforce permissions or attributes if they are
configured.
For a complete list of attributes for the security appliance, the PIX Firewall and the VPN 3000, see
Table E-2.
All strings are case-sensitive and you must use an attribute name as capitalized in the table even if it
conflicts with how a term is typically written. For example, use cVPN3000-IETF-Radius-Class, not
cVPN3000-IETF-RADIUS-Class.
To Next Page
Loading...
Need help?
General