Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
10
Helpful
3
Replies

ACS - LDAP or AD

Go to solution
Chen Reshef
Level 1
Level 1

‎01-06-2014 03:45 AM - edited ‎03-10-2019 09:14 PM

Hi PPL,

Currently i have 4 ACS's synced with AD.

Due to security concern we thinking of going to LDAP.

I can't find exactly what i'll lose/gain on each method.

Can someone provide more information ?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-06-2014 08:04 AM

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-06-2014 08:04 AM

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Chen Reshef
Level 1
Level 1
In response to Tarik Admani

‎01-07-2014 01:43 AM

So it look like not much of cons to working with LDAP, right ?

Can I still use groups ?

0 Helpful

Go to solution
edwjames
Level 3
Level 3
In response to Chen Reshef

‎01-07-2014 05:29 AM

Yes, you can use groups, not many cons, As Tarik mentioned MSCHAP is the only major let down.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1140082

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Customers Also Viewed These Support Documents