Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
4
Replies

LDAP question

ruliffilur
Level 1
Level 1

‎06-14-2011 06:47 AM

Hello

I wonder if there is a limit of how many ldap sources the asa supports? We are thinking of using anyconnect vpn and authenticate users via LDAP to Active Directory, the case is that we have several AD domains.

//Johan

Labels:
0 Helpful
4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

‎06-22-2011 05:07 AM

Hi Johan,

don't know off the top of my head how many ldap servers it supports (if I'd had to guess I'd say 64), however if you have multiple domains, you will either need:

- one tunnel-group per domain, each TG pointing to a different aaa-server-group containing the AD server(s) for that domain (having a single aaa-server-group with AD servers of multiple domains will not work as the ASA will not know which server to contact for which domain).

OR

- a single tunnel-group, using a single aaa-server-group containing one or more GCS (global catalog server). In this case you will certainly not hit any limit regarding amount of servers. Downside is that a GCS does not allow a user to change the password through LDAP(S).

hth

Herbert

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Herbert Baerten

‎06-22-2011 05:17 AM

After doing some further reading on the subject I can add to that:

- ASA supports up to 16 aaa-server-groups (not sure how many servers per group) so this means with solution 1 above, you can have up to 16 domains.

- solution 2 above works if all domains are in the same AD "forest". If not, you need one tunnel-group and one aaa-server-group per forest (and one or more GCS per forest/server-group).

- by default, a GCS does not return all the attributes that a regular AD-LDAP lookup returns, but you can configure it to return additional attributes:

http://technet.microsoft.com/en-us/library/cc737521(WS.10).aspx

hth

Herbert

0 Helpful

ruliffilur
Level 1
Level 1
In response to Herbert Baerten

‎06-22-2011 05:24 AM

Hello Herbert

Many thanks! that was very helpfull indeed!

/Johan

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to ruliffilur

‎06-22-2011 05:53 AM

Johan,

furthermore there is an enhancement request to get support for multi-domain/multi-forest lookups:

CSCsr16298    ASA: Support for multi-forest/multi-domain native AD integration

which I advise you to discuss with your Cisco account manager should you need this functionality.

cheers

Herbert

PS unless you have any further questions can you please mark this thread as 'resolved' ? It makes it easier for us to spot which threads still need help. Thanks!

0 Helpful
Customers Also Viewed These Support Documents