beautypg.com

Ldap organizational units and groups, Domain filtering – Cisco 3.3 User Manual

Page 518

background image

Chapter 13 User Databases

Generic LDAP

13-34

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

For each LDAP instance, you can add or leave it out of the Unknown User Policy.
For more information, see

About Unknown User Authentication, page 15-4

.

For each LDAP instance, you can establish unique group mapping. For more
information, see

Group Mapping by Group Set Membership, page 16-4

.

Multiple LDAP instances is also important when you use domain filtering. For
more information, see

Domain Filtering, page 13-34

.

LDAP Organizational Units and Groups

LDAP groups do not need to have the same name as their corresponding
Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure
ACS group with any name you want to assign. For more information about how
your LDAP database handles group membership, see your LDAP database
documentation. For more information on LDAP group mappings and
Cisco Secure ACS, see

Chapter 16, “User Group Mapping and Specification”

.

Domain Filtering

Using domain filtering, you can control which LDAP instance is used to
authenticate a user based on domain-qualified usernames. Domain filtering is
based on parsing the characters either at the beginning or end of a username
submitted for authentication. Domain filtering provides you with greater control
over the LDAP instance that Cisco Secure ACS submits any given user
authentication request to. You also have control of whether usernames are
submitted to an LDAP server with their domain qualifiers intact.

For example, when EAP-TLS authentication is initiated by a Windows XP client,
Cisco Secure ACS receives the username in

username@domainname

format. When

PEAP authentication is initiated by a Cisco Aironet end-user client, Cisco Secure
ACS receives the username without a domain qualifier. If both clients are to be
authenticated with an LDAP database that stores usernames without domain
qualifiers, Cisco Secure ACS can strip the domain qualifier. If separate user
accounts are maintained in the LDAP database—both domain-qualified and
non-domain-qualified user accounts—Cisco Secure ACS can pass usernames to
the LDAP database without domain filtering.