Filter
Top Products
4-14
Cisco NAC Guest Server Installation and Configuration Guide
OL-15986-01
Chapter 4 Configuring Sponsor Authentication
Configuring LDAP Authentication
• User Search Filter—The User Search Filter defines how user entries are named in the LDAP server.
For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%).
The %USERNAME% should be placed where the username will be inserted in a search.
• Group Mapping—There are two main methods that LDAP servers use for assigning users to groups:
1. Storing the group membership in an attribute of the user object. With this method the user object
has one or more attributes that list the groups that the user is a member of. If your LDAP server
uses this method of storing group membership, you need to enter the name of the attribute which
holds the groups the user is a member of. This attribute may be called something like
groupMembership, memberOf, or group.
2. Storing the user membership in an attribute of the group object. With this method there is a
group object that contains a list of the users who are members of the group. If your LDAP server
uses this method, you need to specify the group to check under the LDAP mapping section of a
User Group you want to match the user to.
To determine which method to use, Cisco recommends checking the LDAP documentation for your
server or using an LDAP browser like the one available at
http://www.ldapbrowser.com/ to check
the attributes of the server.
• Username—The user account that has permissions to search the LDAP server. This is needed so that
the Cisco NAC Guest Server can search for the user account and group mapping information.
• Password—The password for the user account that has permissions to search the LDAP server.
• Confirm Password—Repeat the password to make sure it matches.
Note If you do not want to change the password, leaving both password entries empty preserves the
existing password.
• Status—Select the status of the LDAP Server. If it is set to Active the Guest Server will use it for
authenticating sponsors. If it is set to Disabled it will not be used.
Step 5 Optionally click the Test Connection button to verify the settings are correct for the LDAP server. The
Test Connection will bind with the username and password specified to the LDAP server to verify that
it can bind successfully.
Step 6 Click the Save Settings button.
Delete an Existing LDAP Server Entry
Step 1 From the administration interface select Authentication > Sponsor > LDAP Servers from the menu.
Step 2 Select the LDAP Server from the list (Figure 4-15).