Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1903
Views
9
Helpful
3
Replies

Kerberos vs ldap authentication for anyconnect clients

zafar_118
Level 1
Level 1

‎09-13-2013 08:04 AM - edited ‎02-21-2020 07:09 PM

Hi,

I have cisco ASA that remote clients will be connecting to for VPN (using cisco client). I want users authentication to be done through active directory but really not sure which method should i use? What is advantage of one over other?.

Thanks         

Labels:
0 Helpful
3 Replies 3

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-13-2013 09:27 AM

Hi Zafar

I would say go for LDAP it give you more option than KERBROS apart from just authenticating users.

Using LDAP you can make sure only one specific group could connect using VPN.

YOu can assign group-policies on tha basis of users.

It gives you more option than kerbros.

I hope that answers your question.

Thanks

Jeet Kumar

zafar_118
Level 1
Level 1
In response to Jeet Kumar

‎09-14-2013 09:00 AM

Hi Jeet,

Thanks for your quick response. Can you please tell in little more detail how, when using ldap, i can make one specfic group to connect using vpn. Also you mentioned, "YOu can assign group-policies on tha basis of users.", will those group policies be applied at ASA or ldap server.

Thanks

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to zafar_118

‎09-22-2013 02:10 AM

Hi Zafar,

Frequently, administrators want to provide VPN users with different access permissions or WebVPN content. On the ASA this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map.

In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute.

In order to get better understanding and review the configuration example, I'd encourage you to visit the below listed link. In case you may have any query/ concern, post all your doubts here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Why we prefer ldap over kerberos. The only reason is with kerberos though you can encrypt the whole packet however it would not allow you to restrict user authorization. With LDAP, you will get this flexibility. In case you would like to configure or troubleshoot kerberos in your setup ever, don't forget to review this document:

https://supportforums.cisco.com/docs/DOC-2974

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents