Cisco Systems OL-12180-01 Ldap Server Support, SSO Support for Clientless SSL VPN with Http Forms

Page 6

Chapter 12 Configuring AAA Servers and User Accounts

AAA Server and Local Database Support

LDAP Server Support

This section describes using an LDAP directory with the security appliance for user authentication and VPN authorization.

During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL.

Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with SSL.

When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user. For VPN authentication, these attributes generally include authorization data which is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.

For example configuration procedures used to set up LDAP authentication or authorization, see Appendix B, “Configuring an External Server for Authorization and Authentication” .

SSO Support for Clientless SSL VPN with HTTP Forms

The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of Clientless SSL VPN only. Single sign-on support lets users enter a username and password only once to access multiple protected services and Web servers. The Clientless SSL VPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the Clientless SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server using HTTPS. If the server approves the authentication request, it returns an SSO authentication cookie to the Clientless SSL VPN server. The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server.

In addition to the HTTP Form protocol, administrators can choose to configure SSO with the HTTP Basic and NTLM authentication protocols (the auto-signoncommand), or with Computer Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth discussion of configuring SSO with either HTTP Forms, auto-signonor SiteMinder, see the Clientless SSL VPN chapter.

Local Database Support

The security appliance maintains a local database that you can populate with user profiles.

This section contains the following topics:

User Profiles, page 12-6

Fallback Support, page 12-7

 

ASDM User Guide

12-6

OL-12180-01

Page 5 Page 7
Image 6
Page 5 Page 7
Contents About Authentication AAA Overview12-1 About Accounting About AuthorizationAAA Server and Local Database Support 12-2Summary of Support Radius Server Support12-3 TACACS+ Server Support Authentication MethodsRadius Authorization Functions SDI Server SupportKerberos Server Support Two-step Authentication ProcessNT Server Support SDI Version SupportLocal Database Support Ldap Server SupportSSO Support for Clientless SSL VPN with Http Forms 12-6Fallback Support Configuring the Local DatabaseUser Profiles 12-7User Accounts 12-8Add/Edit User Account Identity 12-9Add/Edit User Account VPN Policy 12-1012-11 Identifying AAA Server Groups and Servers AAA Server Groups12-12 12-13 Add/Edit AAA Server Group 12-14Edit AAA Local Server Group Add/Edit AAA Server12-15 12-16 12-17 12-18 Test AAA Server 12-19Configuring an Authentication Prompt 12-20Configuring an Ldap Attribute Map 12-21Add/Edit Ldap Attribute Map Add/Edit Ldap Attribute Map Map Name Tab12-22 Add/Edit Ldap Attribute Map Map Value Tab Add/Edit Ldap Attributes Value Map12-23 12-24
Top Page Image Contents