4-5
Cisco NAC Guest Server Installation and Configuration Guide
OL-15986-01
Chapter 4 Configuring Sponsor Authentication
Configuring Active Directory (AD) Authentication
Configuring Active Directory (AD) Authentication
Active Directory Authentication authenticates sponsor users to the Guest Server using their existing AD
user accounts. This keeps sponsors from having to remember another set of user names and passwords
just to authenticate to the Guest Server. It also enables the administrator to quickly roll out Guest Access
because there is no need to create and manage additional sponsor accounts. Active Directory
authentication allows you to do the following:
• Add Active Directory Domain Controller
• Edit Existing Domain Controller
• Delete Existing Domain Controller Entry
AD authentication supports authentication against multiple domain controllers. The domain controllers
can be part of the same Active Directory to provide resilience, or they can be in different Active
Directories so that the Guest Server can authenticate sponsor users from separate domains, even where
no trust relationship is configured.
All Active Directory Authentication is performed against individual domain controller entries. A domain
controller entry consists of 6 items:
• Server Name—A text description to identify the domain controller. As a best practice, Cisco
recommends identifying the domain controller and the account suffix in this field (although it can
be set to anything that you choose.)
• User Account Suffix—Every user in Active Directory has a full user logon name which appears as
“username@domain.” Typing the @domain suffix (including the @ symbol) in this field allows
sponsor users not to have to enter their full user logon name.
• Domain Controller IP Address—The IP address of the domain controller that the sponsor user
authenticates against.
• Base DN—The root of the Active Directory. This allows an LDAP search to be performed to find
the user group of the sponsor.
• AD Username— The user account that has permissions to search the AD. This allows an LDAP
search for the user group of the sponsor.
• AD Password—The password for the user account that has permissions to search the AD.
To allow you to authenticate different user account suffixes against the same domain controller, you can
create multiple domain controller entries with the same IP address and different user Account suffixes.
All that needs to be different in each entry is the Server Name, User Account Suffix and Base DN.
To provide resilience in the event of a domain controller failure, you can enter multiple entries for the
same User Account Suffix with different Domain Controller IP Addresses. All that needs to be different
in each entry is the Server Name.
The Guest Server attempts to authenticate sponsors against each Domain Controller entry according to
the Authentication Order specified in
Configuring Sponsor Authentication Settings, page 4-18.