Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 161

    Page 161 3 Managing Users and Identity Stores Managing External Identity Stores If you set failover settings and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts to contact the other LDAP server. The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS attempts to contact depends on the previous LDAP authentications attempts and on the value that you enter in the Failback Retry Delay box. LDAP... 
    3   
Managing Users and Identity Stores
Managing External Identity Stores
If you set failover settings and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts 
to contact the other LDAP server. 
The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS 
attempts to contact depends on the previous LDAP authentications attempts and on the value that you enter in the Failback Retry 
Delay box. 
LDAP...

    Page 162

    Page 162 3 Managing Users and Identity Stores Managing External Identity Stores A connection error occurred. The timeout expired. The server is down. The server is out of memory. The following error is logged as an Unknown User error: A user does not exist in the database. The following error is logged as an Invalid Password error, where the user exists, but the password sent is invalid: An invalid password was entered. Group Membership Information Retrieval For user authentication, user lookup, and MAC... 
    3
Managing Users and Identity Stores
 
Managing External Identity Stores
A connection error occurred.
The timeout expired.
The server is down.
The server is out of memory.
The following error is logged as an Unknown User error: 
A user does not exist in the database.
The following error is logged as an Invalid Password error, where the user exists, but the password sent is invalid:
An invalid password was entered.
Group Membership Information Retrieval
For user authentication, user lookup, and MAC...

    Page 163

    Page 163 3 Managing Users and Identity Stores Managing External Identity Stores For unsigned integers and IP address attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails, or if no values are retrieved for the attributes, ACS logs a debug message but does not fail the authentication or the lookup process. You can optionally configure default values for the attributes that ACS can use when the conversion fails or when ACS does not retrieve any values... 
    3   
Managing Users and Identity Stores
Managing External Identity Stores
For unsigned integers and IP address attributes, ACS converts the strings that it has retrieved to the corresponding data types. 
If conversion fails, or if no values are retrieved for the attributes, ACS logs a debug message but does not fail the authentication 
or the lookup process.
You can optionally configure default values for the attributes that ACS can use when the conversion fails or when ACS does not 
retrieve any values...

    Page 164

    Page 164 3 Managing Users and Identity Stores Managing External Identity Stores You can edit the predefined condition name, and you can create a custom condition from the IdentityDn attribute in the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 5. To create, duplicate, or edit an external LDAP identity store: 1.Choose Users and Identity Stores > External Identity Stores > LDAP. The LDAP Identity Stores page appears. 2.Click Create. You can also: Check the check... 
    3
Managing Users and Identity Stores
 
Managing External Identity Stores
You can edit the predefined condition name, and you can create a custom condition from the IdentityDn attribute in the Custom 
condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 5.
To create, duplicate, or edit an external LDAP identity store:
1.Choose Users and Identity Stores > External Identity Stores > LDAP.
The LDAP Identity Stores page appears.
2.Click Create. You can also:
Check the check...

    Page 165

    Page 165 3 Managing Users and Identity Stores Managing External Identity Stores Table 43 LDAP: Server Connection Page Option Description Server Connection Enable Secondary Server Check to enable the secondary LDAP server, which is used as a backup in the event that the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server. Always Access Primary Server FirstClick to ensure that the primary LDAP server is accessed first, before the... 
    3   
Managing Users and Identity Stores
Managing External Identity Stores
Table 43 LDAP: Server Connection Page
Option Description
Server Connection
Enable Secondary Server Check to enable the secondary LDAP server, which is used as a backup in the event that the 
primary LDAP server fails. If you check this check box, you must enter configuration 
parameters for the secondary LDAP server. 
Always Access Primary 
Server FirstClick to ensure that the primary LDAP server is accessed first, before the...

    Page 166

    Page 166 3 Managing Users and Identity Stores Managing External Identity Stores Root CA Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate. Server Timeout SecondsEnter the number of seconds that ACS waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed, where is the number of seconds. Valid values are 1 to 300. (Default = 10.) Max Admin Connections Enter... 
    3
Managing Users and Identity Stores
 
Managing External Identity Stores
Root CA Select a trusted root certificate authority from the drop-down list box to enable secure 
authentication with a certificate.
Server Timeout  
SecondsEnter the number of seconds that ACS waits for a response from the primary LDAP server 
before determining that the connection or authentication with that server has failed, where 
 is the number of seconds. Valid values are 1 to 300. (Default = 10.)
Max Admin Connections Enter...

    Page 167

    Page 167 3 Managing Users and Identity Stores Managing External Identity Stores 2.Click Next. 3.Continue with Configuring External LDAP Directory Organization, page 37. Configuring External LDAP Directory Organization Use this page to configure an external LDAP identity store. 1.Choose Users and Identity Stores > External Identity Stores > LDAP, then click any of the following: Create and follow the wizard until you reach the Directory Organization page. Duplicate, then click Next until the Directory... 
    3   
Managing Users and Identity Stores
Managing External Identity Stores
2.Click Next. 
3.Continue with Configuring External LDAP Directory Organization, page 37.
Configuring External LDAP Directory Organization 
Use this page to configure an external LDAP identity store.
1.Choose Users and Identity Stores > External Identity Stores > LDAP, then click any of the following:
Create and follow the wizard until you reach the Directory Organization page.
Duplicate, then click Next until the Directory...

    Page 168

    Page 168 3 Managing Users and Identity Stores Managing External Identity Stores Table 44 LDAP: Directory Organization Page Option Description Schema Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have several values for the objectClass at t r i b u te , s om e o f w h i c h are u n i q u e to t h e s u b j ec t , s o m e o f which are shared with other object types. This box should contain a value that is not shared. Valid values... 
    3
Managing Users and Identity Stores
 
Managing External Identity Stores
Table 44 LDAP: Directory Organization Page
Option Description
Schema
Subject  Object  class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have 
several values for the objectClass at t r i b u te ,  s om e  o f  w h i c h  are  u n i q u e  to  t h e  s u b j ec t , s o m e  o f  
which are shared with other object types. 
This box should contain a value that is not shared. Valid values...

    Page 169

    Page 169 3 Managing Users and Identity Stores Managing External Identity Stores Subjects In Groups Are Stored In Member Attribute As Use the drop-down list box to indicate if the subjects in groups are stored in member attributes as either: Username Distinguished name Directory Structure Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: o=corporation.com If the tree containing subjects is the base DN, enter: o=corporation.com or... 
    3   
Managing Users and Identity Stores
Managing External Identity Stores
Subjects In Groups Are 
Stored In Member Attribute 
As Use the drop-down list box to indicate if the subjects in groups are stored in member 
attributes as either:
Username
Distinguished name
Directory Structure
Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: 
o=corporation.com
If the tree containing subjects is the base DN, enter:
o=corporation.com
or...

    Page 170

    Page 170 4 Managing Users and Identity Stores Managing External Identity Stores 2.Click Next. Continue with Configuring LDAP Hostnames in Deployment Configuration, page 40. Related Topics Configuring LDAP Groups, page 42 Deleting External LDAP Identity Stores, page 41 Configuring LDAP Hostnames in Deployment Configuration ACS 5.7 supports configuring different LDAP hostnames for different ACS instances in your deployment. Configuring all ACS instances in your deployment to communicate to a single LDAP... 
    4
Managing Users and Identity Stores
 
Managing External Identity Stores
2.Click Next. 
Continue with Configuring LDAP Hostnames in Deployment Configuration, page 40.
Related Topics
Configuring LDAP Groups, page 42
Deleting External LDAP Identity Stores, page 41
Configuring LDAP Hostnames in Deployment Configuration
ACS 5.7 supports configuring different LDAP hostnames for different ACS instances in your deployment. Configuring all ACS 
instances in your deployment to communicate to a single LDAP...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals