E-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Appendix E Configuring an External Server for Authorization and Authentication
Configuring an External RADIUS Server
Step 4 Specify a secure LDAP connection as follows:
hostname(config-aaa-server-host)# ldap-over-ssl enable
hostname(config-aaa-server-host)#
Step 5 Create an aaa-server record to configure the LDAP authorization server and use the ldap-base-dn to
specify the search location for the Cisco cVPN3000-User-Authorization records as shown in the
following example commands:
hostname(config-aaa-server-host)# aaa-server ldap-authorize protocol ldap
hostname(config-aaa-server-host)# aaa-server ldap-authorize host 10.1.1.4
hostname(config-aaa-server-host)# ldap-base-dn ou=Franklin-Altiga,dc=frdevtestad, dc=local
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# ldap-naming-attribute cn
hostname(config-aaa-server-host)# ldap-login-password anypassword
hostname(config-aaa-server-host)# ldap-login-dn cn=Administrator,cn=Users,
dc=frdevtestad,dc=local
hostname(config-aaa-server-host)#
Step 6 Create an external group policy that associates the group-name with the LDAP authorization server. In
this example, the user is assigned to the group Engineering as shown in the following command:
hostname(config-aaa-server-host)# group-policy engineering external server-group
ldap-authorize
hostname(config-aaa-server-host)#
Step 7 Create a tunnel group that specifies LDAP authentication as shown in the following example commands:
hostname(config)# tunnel-group ipsec-tunnelgroup type ipsec-ra
hostname(config)# tunnel-group ipsec-tunnelgroup general-attributes
hostname(config-tunnel-general)# authentication-server-group ldap-authenticate
hostname(config-tunnel-general)#
Configuring an External RADIUS Server
This section presents an overview of the RADIUS configuration procedure and defines the Cisco
RADIUS attributes. It includes the following topics:
• Reviewing the RADIUS Configuration Procedure
• Security Appliance RADIUS Authorization Attributes
Reviewing the RADIUS Configuration Procedure
This section describes the RADIUS configuration steps required to support authentication and
authorization of the security appliance users. Follow the steps below to set up the RADIUS server to inter
operate with the security appliance.
Step 1 Load the security appliance attributes into the RADIUS server. The method you use to load the attributes
depends on which type of RADIUS server you are using:
• If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
• If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the
security appliance attributes. Obtain this dictionary file,
cisco3k.dct, from Software Center on
CCO or from the security appliance CD-ROM. Load the dictionary file on your server.
To Next Page
Loading...
Need help?
General