por | 26 marzo, 2009

http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a0080846d7a.shtml

AD/LDAP Configuration Example

This illustrates a sample configuration using LDAP to communicate with the backend Active Directory:

  1. Create a Domain Admin user within Active Directory Users and Computers. Place this user into the Users folder.
  2. Within Active Directory Users and Computers, select Find from the Actions menu.Make sure that your results show the Group Membership column for the created user. Your search results should show the user and the associated Group Membership within Active Directory. This is the information you will need to transfer into the Clean Access Manager.

    cca-ldap-config1.gif

  3. From the Clean Access Manager web console, go to the User Management > Auth Servers > New Server form.
  4. Choose LDAP as the Server Type.
  5. For the Search(Admin) Full DN and Search Base Context fields, input the results from the Find within Active Directory Users and Computers.cca-ldap-config2.gif
  6. These fields are all that is necessary to properly set up this auth server within the CAM:
    • ServerURL: ldap://192.168.137.10:389 – This is the domain controller IP address and LDAP listening port.
    • Search(Admin) Full DN: CN=sheldon muir, CN=Users, DC=domainname, DC=com
    • Search Base Context: DC=domainname, DC=com
    • Default Role: Select the default role a user will be put into once authenticated.
    • Description: Used just for reference.
    • Provider Name: This is the name of the LDAP server used for User Page setup on the CAM.
    • Search Password: sheldon muir’s domain password
    • Search Filter: SAMAccountName=$user$
  7. Click Add Server.At this point, your Auth Test should work.
  8. In order to test authentication:
    1. From User Management > Auth Servers > Auth Test tab, select the provider against which you want to test credentials in the Provider list. If the provider does not appear, make sure it is correctly configured in the List of Servers tab.
    2. Enter the username and password for the user and if needed a VLAN ID value.
    3. Click Authenticate.The test results appear at the bottom of the window.

      cca-ldap-config3.gif

      Authentication Successful:

      For any provider type, Result: Authentication successful and Role of the user are displayed when the auth test succeeds.

      For LDAP/RADIUS servers, when authentication is successful and mapping rules are configured, the attributes/values specified in the mapping rule are also displayed if the auth server (LDAP/RADIUS) returns those values. For example:

      Result: Authentication successful
      Role: <role name>
      Attributes for Mapping:
      <Attribute Name>=<Attribute value>

      Authentication Failed:

      When authentication fails, a message displays along with the Authentication failed result as shown.

      Message Description
      Message: Invalid User Credential Correct user name, incorrect password
      Message: Unable to find the full DN for user <User Name> Correct password, incorrect user name (LDAP provider)
      Message: Client Receive Exception: Packet Receive Failed (Receive timed out) Correct password, incorrect user name (RADIUS provider)
      Message: Invalid Admin(Search) Credential Correct user name, correct password, incorrect value configured in the Search(Admin) Full DN field of the Auth provider (e.g. incorrect CN configured for LDAP Server)
      Message: Naming Error (x.x.x.x: x) Correct user name, correct password, incorrect value configured in the Server URL field of the Auth provider (e.g. incorrect port or URL configured for LDAP)