Cisco Systems OL-12180-01 LDAP Server Support, SSO Support for Clientless SSL VPN with HTTP Forms, Local Database Support

12-6

ASDM User Guide

OL-12180-01

Chapter12 Configuring AAA Servers and User Accounts

AAA Server and Local Database Support

LDAP Server Support

This section describes using an LDAPdirectory with the security appliance for user authentication and

VPN authorization.

Duringauthentication, the security appliance acts as a client proxy to the LDAP server for the user, and

authenticates to the LDAP server in either plain text or using the Simple Authentication and Security

Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a

username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can

secure the communications between the security appliance and the LDAP server with SSL.

Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with

SSL.

When user LDAP authentication has succeeded, the LDAP server returns the attributes for the

authenticated user.For VPN authentication, these attributes generally include authorization data which

is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a

single step.

For example configuration procedures used to set up LDAP authentication or authorization, see

Appendix B, “Configuring an External Server for Authorization and Authentication”.

SSO Support for Clientless SSL VPN with HTTP Forms

The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of

ClientlessSSL VPN only. Single sign-on support lets users enter a username and password only once to

access multiple protected services and Web servers. The Clientless SSL VPN server running on the

security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the

Clientless SSL VPN server sends an SSO authentication request, including username and password,to

the authenticating server using HTTPS. If the server approves the authentication request, it returns an

SSO authentication cookie to the Clientless SSL VPN server. The security appliance keeps this cookie

onbehalf of the user and uses it to authenticate the user to secure websites within the domain protected

by the SSO server.

In addition to the HTTP Form protocol, administrators can choose to configure SSO with the HTTP

Basic and NTLM authentication protocols (the auto-signon command), or with Computer Associates

eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth discussion of

configuring SSO with either HTTP Forms,auto-signon or SiteMinder, see the Clientless SSL VPN

chapter.

Local Database Support

The security appliance maintains a local database that you can populate with user profiles.

This section contains the following topics:

•User Profiles, page 12-6

•Fallback Support, page 12-7