11-17
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 11 Working with User Databases
Generic LDAP
This section contains the following topics:
•
Cisco Secure ACS Authentication Process with a Generic LDAP User
Database, page 11-17
•
Multiple LDAP Instances, page 11-17
•
LDAP Organizational Units and Groups, page 11-18
•
Domain Filtering, page 11-18
•
LDAP Failover, page 11-20
•
LDAP Configuration Options, page 11-22
•
Configuring a Generic LDAP External User Database, page 11-28
Cisco Secure ACS Authentication Process with a Generic LDAP
User Database
Cisco Secure ACS forwards the username and password to an LDAP database
using a TCP connection on a port that you specify. The LDAP database either
passes or fails the authentication request from Cisco Secure ACS. Upon receiving
the response from the LDAP database, Cisco Secure ACS instructs the requesting
AAA client to grant or deny the user access, depending upon the response from
the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges.
Multiple LDAP Instances
You can create more than one LDAP configuration in Cisco Secure ACS. By
creating more than one LDAP configuration with different IP address or port
settings, you can configure Cisco Secure ACS to authenticate using different
LDAP servers or using different databases on the same LDAP server. Each
primary server IP address and port configuration, along with the secondary server
IP address and port configuration, forms an LDAP instance that corresponds to
one Cisco Secure ACS LDAP configuration instance.