36-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
What to Do Next
Configure AD Agents. See Configuring Active Directory Agents, page13 .
Step6 hostname(config-aaa-server-host)# ldap-login-dn
string
Example:
hostname(config-aaa-server-host)#ldap-login-dn
SAMPLE\user1
Specifies the name of the directory object that the
system should bind this as. The ASA identifies itself
for authenticated binding by attaching a Login DN
field to the user authentication request. The Login
DN field describes the authentication characteristics
of the ASA.
Where string is a case-sensitive string of up to 128
characters that specifies the name of the directory
object in the LDAP hierarchy. Spaces are not
permitted in the string, but other special characters
are allowed.
You can specify the traditional or simplified format.
The traditional ldap-login-dn in format includes:
CN=username,OU=Employees,OU=Sample
Users,DC=sample,DC=com is accepted also.
Step7 hostname(config-aaa-server-host)# server-type
microsoft
Configures the LDAP server model for the
Microsoft Active Directory server.
Step8 hostname(config-aaa-server-host)# ldap-group-base-dn
string
Example:
hostname(config-aaa-server-host)# ldap-group-base-dn
OU=Sample Groups,DC=SAMPLE,DC=com
Specifies location of the Active Directory groups
configuration in the Active Directory domain
controller. If not specified, the value in ldap-base-dn
is used.
Specifying the ldap-group-base-dn command is
optional.
Step9 hostname(config-aaa-server-host)# ldap-over-ssl
enable
Allows the ASA to access the Active Directory
domain controller over SSL. To support LDAP over
SSL, Active Directory server needs to be configured
to have this support.
By default, Active Directory does not have SSL
configured. If SSL is not configured on on Active
Directory, you do not need to configure it on the
ASA for the Identity Firewall.
Step10 hostname(config-aaa-server-host)# server-port
port-number
Examples:
hostname(config-aaa-server-host)# server-port 389
hostname(config-aaa-server-host)# server-port 636
By default, if ldap-over-ssl is not enabled, the
default server-port is 389; if ldap-over-ssl is
enabled, the default server-port is 636.
Step11 hostname(config-aaa-server-host)#
group-search-timeout seconds
Examples:
hostname(config-aaa-server-host)#
group-search-timeout 300
Sets the amount of time before LDAP queries time
out.
Command Purpose