cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1981
Views
9
Helpful
3
Replies

Kerberos vs ldap authentication for anyconnect clients

zafar_118
Level 1
Level 1

Hi,

I have cisco ASA that remote clients will be connecting to for VPN (using cisco client). I want users authentication to be done through active directory but really not sure which method should i use? What is advantage of one over other?.

Thanks         

3 Replies 3

Jeet Kumar
Cisco Employee
Cisco Employee

Hi Zafar

I would say go for LDAP it give you more option than KERBROS apart from just authenticating users.

Using LDAP you can make sure only one specific group could connect using VPN.

YOu can assign group-policies on tha basis of users.

It gives you more option than kerbros.

I hope that answers your question.

Thanks

Jeet Kumar

Hi Jeet,

Thanks for your quick response. Can you please tell in little more detail how, when using ldap, i can make one specfic group to connect using vpn. Also you mentioned, "YOu can assign group-policies on tha basis of users.", will those group policies be applied at ASA or ldap server.

Thanks

Hi Zafar,

Frequently, administrators want to provide VPN users with different access permissions or WebVPN content. On the ASA this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map.

In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute.

In order to get better understanding and review the configuration example, I'd encourage you to visit the below listed link. In case you may have any query/ concern, post all your doubts here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Why we prefer ldap over kerberos. The only reason is with kerberos though you can encrypt the whole packet however it would not allow you to restrict user authorization. With LDAP, you will get this flexibility. In case you would like to configure or troubleshoot kerberos in your setup ever, don't forget to review this document:

https://supportforums.cisco.com/docs/DOC-2974

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin