11-28-2011 07:15 AM - edited 02-21-2020 05:44 PM
Hi,
I would like to know if LDAP will be supported with Anyconnect in the coming IOS release ? When?
Best regards,
Laurent
11-28-2011 01:32 PM
Laurent,
As far as I know it's still not supported, interestingly I was able to find cases where people were asking about this, but not related enhancement request to track progress.
Typically we use ACS (via RADIUS) with LDAP/AD backend.
Marcin
11-30-2011 12:26 AM
Hi Marcin,
Perfect. Thanks for your quick reply. I would like to ask you a last question. What is the advantage of having LDAP some feature so if anyway you can connec to AD via a Radius server?
Best regards,
Laurent
11-30-2011 01:06 AM
Laurent,
Not sure if this will answer your question.
Having [pure] LDAP is nice if you want to perform authentication and your user base is already populated in AD.
There are no middle steps, just query and reply.
The "problem" with LDAP especially based on AD is that all the information about user that is not primary (username and password I would consider primary) is stored in a way that does not allow easy facility to apply/map to networking.
On ASA to overcome this we have LDAP attribute mapping where we map attributes from LDAP to common RADIUS ones.
When using AD from ACS I beleive (note that I'm not an expert on ACS) you can perfrm similar mapping and response you get is a pure RADIUS one - i.e. easily understood by most networking equipment.
RADIUS give you more flexibility in terms of Authentication Authorization and Accounting for networking equpment.
For example (AFAIR) LDAP/AD will not do accounting nor can be used to perform NAC functions.
But for example both LDAP (Over SSL) and RADIUS (via mschap v2) can perform password expiry functions.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide