Ldap organizational units and groups, Domain filtering – Cisco 3.3 User Manual
Page 518
Chapter 13 User Databases
Generic LDAP
13-34
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
For each LDAP instance, you can add or leave it out of the Unknown User Policy.
For more information, see
About Unknown User Authentication, page 15-4
For each LDAP instance, you can establish unique group mapping. For more
information, see
Group Mapping by Group Set Membership, page 16-4
Multiple LDAP instances is also important when you use domain filtering. For
more information, see
.
LDAP Organizational Units and Groups
LDAP groups do not need to have the same name as their corresponding
Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure
ACS group with any name you want to assign. For more information about how
your LDAP database handles group membership, see your LDAP database
documentation. For more information on LDAP group mappings and
Cisco Secure ACS, see
Chapter 16, “User Group Mapping and Specification”
.
Domain Filtering
Using domain filtering, you can control which LDAP instance is used to
authenticate a user based on domain-qualified usernames. Domain filtering is
based on parsing the characters either at the beginning or end of a username
submitted for authentication. Domain filtering provides you with greater control
over the LDAP instance that Cisco Secure ACS submits any given user
authentication request to. You also have control of whether usernames are
submitted to an LDAP server with their domain qualifiers intact.
For example, when EAP-TLS authentication is initiated by a Windows XP client,
Cisco Secure ACS receives the username in
username@domainname
format. When
PEAP authentication is initiated by a Cisco Aironet end-user client, Cisco Secure
ACS receives the username without a domain qualifier. If both clients are to be
authenticated with an LDAP database that stores usernames without domain
qualifiers, Cisco Secure ACS can strip the domain qualifier. If separate user
accounts are maintained in the LDAP database—both domain-qualified and
non-domain-qualified user accounts—Cisco Secure ACS can pass usernames to
the LDAP database without domain filtering.