Cisco Systems OL-15986-01 Configuring Active Directory (AD) Authentication

4-5

Cisco NAC Guest Server Installation and Configuration Guide

OL-15986-01

Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication

Configuring Active Directory (AD) Authentication

Active Directory Authentication authenticates sponsor users to the Guest Server using their existing AD

user accounts. This keeps sponsors from having to remember another set o f user n ame s and pa sswords

just to authenticate to the Guest Server. It also enables the administrator to quickly roll ou t Guest Access

because there is no need to create and manage addi ti onal sp onsor ac co unts. Ac tive Direc tory

authentication allows you to do the following:

• Add Active Directory Domain Controller

• Edit Existing Domain Controlle r

• Delete Existing Domain Controller Entry

AD authentication supports authentication against multiple domain controllers. The domain controllers

can be part of the same Active Directory to provide resilience, o r they c an be in di fferent Ac tive

Directories so that the Guest Server can authenticate sponsor users from separate domains, even where

no trust relationship is configured.

All Active Directory Authentication is performed against individual domain controlle r entries. A domain

controller entry consists of 6 items:

• Server Name—A text description to identify the domain controller. As a best practice, Cisco

recommends identifying the domain controller and the account suffix in this field (although it can

be set to anything that you choose.)

• User Account Suffix—Every user in Active Directory has a full user logon name which appears as

“username@domain.” Typing the @domain suffix (including the @ symbol) in this field allows

sponsor users not to have to enter their full user logon name.

• Domain Controller IP Address—The IP address of the domain controller that the sponsor user

authenticates against.

• Base DN—The root of the Active Directory. This allows an LDAP search to be performed t o find

the user group of the sponsor.

• AD Username— The user account that has permissions to sea rch th e AD . Th is all ows an L DAP

search for the user group of the sponsor.

• AD Password—The password for the user account that has permissions to search the AD.

To allow you to authenticate different user account suffixes against the same domain controller, you can

create multiple domain controller entries with the same IP address and different user Account suffixes.

All that needs to be different in each entry is the Server Name, User Account Suffix and Base DN.

To provide resilience in the event of a domain controller failure, you can enter multiple entries for the

same User Account Suffix with different Domain Controller IP A ddr esses. Al l t ha t nee ds to b e d ifferent

in each entry is the Server Name.

The Guest Server attempts to authenticate sponsors against each Domain Controller entry according to

the Authentication Order specified in Configuring Sponsor Authentication Settings, page 4-18.