Cisco Systems 3.3 LDAP Organizational Units and Groups, Domain Filtering

Chapter 13 User Databases

Generic LDAP

13-34

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

For each LDAP instance, you can add or leave it out of the Unknown User Policy.

For more information, see About Unknown User Authentication, page 15-4.

For each LDAP instance, you can establish unique group mapping. For more

information, see Group Mapping by Group Set Membership, page 16-4.

Multiple LDAP instances is also important when you use domain filtering. For

more information, see Domain Filtering, page 13-34.

LDAP Organizational Units and Groups

LDAP groups do not need to have the same name as their corresponding

Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure

ACS group with any name you want to assign. For more information about how

your LDAP database handles group membership, see your LDAP database

documentation. For more information on LDAP group mappings and

Cisco Secure ACS, see Chapter 16, “User Group Mapping and Specification”.

Using domain filtering, you can control which LDAP instance is used to

authenticate a user based on domain-qualified usernames. Domain filtering is

based on parsing the characters either at the beginning or end of a username

submitted for authentication. Domain filtering provides you with greater control

over the LDAP instance that Cisco Secure ACS submits any given user

authentication request to. You also have control of whether usernames are

submitted to an LDAP server with their domain qualifiers intact.

For example, when EAP-TLS authentication is initiated by a Windows XP client,

Cisco Secure ACS receives the username in username@domainname format. When

PEAP authentication is initiated by a Cisco Aironet end-user client, Cisco Secure

ACS receives the username without a domain qualifier. If both clients are to be

authenticated with an LDAP database that stores usernames without domain

qualifiers, Cisco Secure ACS can strip the domain qualifier. If separate user

accounts are maintained in the LDAP database—both domain-qualified and

non-domain-qualified user accounts—Cisco Secure ACS can pass usernames to

the LDAP database without domain filtering.