Cisco Acs 5x User Guide

8-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Step 2Click Next. 
Step 3Continue with Configuring External LDAP Directory Organization, page 8-29.
Configuring External LDAP Directory Organization 
Use this page to configure an external LDAP identity store.
Step 1Select Users and Identity Stores > External Identity Stores > LDAP, then click any of the following:
Create and follow the wizard until...

8-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Table 8-8 LDAP: Directory Organization Page
Option Description
Schema
Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records 
have several values for the objectClass attribute, some of which are unique to the subject, 
some of which are shared with other object types. 
This box should contain...

8-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: 
o=corporation.com
If the tree containing subjects is the base DN, enter:
o=corporation.com
or
dc=corporation,dc=com
as applicable to your LDAP configuration. For more information, refer to your LDAP 
database documentation.
Group Search...

8-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Step 2Click Finish. 
The external identity store you created is saved.
Username Prefix\Suffix Stripping
Strip start of subject name 
up to the last occurrence of 
the separatorEnter the appropriate text to remove domain prefixes from usernames.
If, in the username, ACS finds the delimiter character that is specified in the start_string box, 
it...

8-33
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Related Topics
Configuring LDAP Groups, page 8-33
Deleting External LDAP Identity Stores, page 8-33
Deleting External LDAP Identity Stores
You can delete one or more external LDAP identity stores simultaneously.
To delete an external LDAP identity store:
Step 1Select Users and Identity Stores > External Identity Stores > LDAP.
The LDAP Identity...

8-34
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Viewing LDAP Attributes
Use this page to view the external LDAP attributes.
Step 1Select Users and Identity Stores > External Identity Stores > LDAP.
Step 2Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and 
then click the Directory Attributes tab.
Step 3In the Name of example Subject to Select...

8-35
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
This means the switch port to which these devices attach cannot authenticate them using the 802.1X 
exchange of device or user credentials and must revert to an authentication mechanism other than 
port-based authentication (typically endpoint MAC address-based) in order for them to connect to the 
network. 
Cisco NAC Profiler provides a solution for...

8-36
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Figure 8-1 LDAP Interface Configuration in NAC Profiler
Step 5
Click Update Server.
Step 6Click the Configuration tab and click Apply Changes.
The Update NAC Profiler Modules page appears.
Step 7Click Update Modules to enable LDAP to be used by ACS.
You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler....

8-37
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Step 2Choose Configuration > Endpoint Profiles > View/Edit Profiles List.
A list of profiles in a table appears.
Step 3Click on the name of a profile to edit it.
Step 4In the Save Profile page, ensure that the LDAP option is enabled by clicking the Ye s radio button next 
to it, if it is not already done as shown in Figure 8-2.
Figure 8-2 Configuring...

8-38
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
To edit the NAC Profiler template in ACS:
Step 1Choose Users and Identity Stores > External Identity Stores > LDAP.
Step 2Click on the name of the NAC Profiler template or check the check box next to the NAC Profiler template 
and click Edit.
The Edit NAC Profiler definition page appears as shown in Figure 8-3.
Figure 8-3 Edit NAC Profiler Definition...