12-18
ASDM User Guide
OL-12180-01
Chapter 12 Configuring AAA Servers and User Accounts
Identifying AAA Server Groups and Servers
–
Naming Attribute(s)—Specifies the Relative Distinguished Name attribute (or attributes) that
uniquely identifiesan entry on the LDAP server. Common naming attributes are Common Name
(cn) and User ID (uid).
–
Login DN—Specifies the login DN. Some LDAP servers (including the Microsoft Active
Directory server) require the security appliance to establish a handshake via authenticated
binding before they will accept requests for any other LDAP operations. The security appliance
identifies itself for authenticated binding by attaching a Login DN field to the user
authentication request. The Login DN field defines the security appliance’s authentication
characteristics; these characteristics should correspond to those of a user with administration
privileges. Enter the name of the directory object for security appliance authenticated binding,
for example: cn=Administrator, cn=users, ou=people, dc=Example Corporation, dc=com. For
anonymous access, leave this field blank.
–
Login Password—Specifies the login password. The characters you type are replaced with
asterisks.
–
LDAP Attribute Map—Lists the LDAP attribute maps that you can apply to LDAP server. The
LDAP attribute map translates Cisco attribute names into user-defined attribute names and
values.
–
SASL MD5 authentication—Specifies that the MD5 mechanism of the Simple Authentication
and Security Layer secures authentication communications between the security appliance and
the LDAP server.
–
SASL Kerberos authentication—Specifies that Kerberos mechanism of the Simple
Authentication and Security Layer secures authentication communications between the security
appliance and the LDAP server.
–
Kerberos Server Group—Specifies the Kerberos server or server group used for authentication.
The Kerberos Server group option is disabled by default and is enabled only when SASL
Kerberos authentication is chosen.
• NT Domain Parameters—Specifies the parameters needed for using an NT server and includes the
following fields:
–
Server Port—Specifies the TCP port number by which you access the server. The default port
number is 139.
–
NT Domain Controller— Specifies the NT Primary Domain Controller host name for this
server, for example: PDC01. The maximum host name length is 15 characters. You must enter
this name, and it must be the correct host name for the server for which you entered the IP
Address in Authentication Server Address; if the name is incorrect, authentication fails.
• HTTP Form Parameters—Specifies the parameters for the HTTP Form protocol for single sign-on
authentication, available only to users of Clientless SSL VPN. This area appears only when the
selected server group uses HTTP Form, and only the Server Group name and the protocol are visible.
Other fields are not available when using HTTP Form.
Note To configure SSO with the HTTP protocol correctly, you must have a thorough working
knowledge of authentication and HTTP protocol exchanges.
If you do not know what the following parameters are, use an HTTP header analyzer to extract the
data from the HTTP GET and POST exchanges when logging into the authenticating web server
directly, not through the security appliance. See the Clientless SSL VPN chapter in the Cisco
Security Appliance Command Line Configuration Guide for more detail on extracting these
parameters from the HTTP exchanges.
