Filter
Top Products
6-38
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
LDAP Hierarchy Location The base distinguished name (DN), which is the location in the LDAP
hierarchy where the authentication server should being searching when
it receives an authorization request. For example, OU=Cisco. The
maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other special
characters are allowed.
PIX/ASA/FWSM Tab
LDAP Scope The extent of the search the server should make in the LDAP hierarchy
when it receives an authorization request. The available options are:
• onelevel—Searches only one level beneath the base DN. This type
of search scope is faster than a subtree search, because it is less
comprehensive. This is the default.
• subtree—Searches all levels beneath the base DN (that is, searches
the entire subtree hierarchy). This option takes more time.
LDAP Distinguished Name The Relative Distinguished Name attribute (or attributes) that uniquely
identifies an entry on the LDAP server. Common naming attributes are
Common Name (CN), sAMAccountName, userPrincipalName, and
User ID (uid). The case-sensitive, alphanumeric string can be up to 128
characters. Spaces are not permitted in the string, but other special
characters are allowed.
SASL MD5 Authentication
SASL Kerberos
Authentication
Kerberos Server Group
These options establish a Simple Authentication and Security Layer
(SASL) mechanism to authenticate an LDAP client (the
ASA/PIX/FWSM device) with an LDAP server. If you do not select one
of these options, the simple mechanism is used, and usernames and
passwords are transmitted in clear text.
You can define one or both SASL authentication mechanisms. When
negotiating SASL authentication, the ASA/PIX/FWSM device
retrieves the list of SASL mechanisms configured on the LDAP server
and selects the strongest mechanism configured on both devices.
• SASL MD5 Authentication—Whether to have the device send the
LDAP server an MD5 value computed from the username and
password. You must configure the LDAP server to store the user
passwords in reversible manner, or the LDAP server will not be
able to validate the passwords.
• SASL Kerberos Authentication—Whether to have the device send
the LDAP server the username and realm using the GSSAPI
(Generic Security Services Application Programming Interface)
Kerberos mechanism. This mechanism is stronger than the MD5
mechanism.
If you select Kerberos, you must also enter the name of the
Kerberos AAA server group used for SASL authentication. The
maximum length is 16 characters.
Table 6-11 AAA Server Dialog Box—LDAP Settings (Continued)
Element Description