cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
10
Helpful
3
Replies

ACS - LDAP or AD

Chen Reshef
Level 1
Level 1

Hi PPL,

Currently i have 4 ACS's synced with AD.

Due to security concern we thinking of going to LDAP.

I can't find exactly what i'll lose/gain on each method.

Can someone provide more information ?

Thanks!

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

View solution in original post

3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

Chen,

You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.

If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.

Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Tarik Admani
*Please rate helpful posts*

So it look like not much of cons to working with LDAP, right ?

Can I still use groups ?

Yes, you can use groups, not many cons, As Tarik mentioned MSCHAP is the only major let down.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1140082

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed