How to Configure LDAP for End Users and Hosts via Active Directory

This Help topic provides instructions for creating LDAP configurations in Access Control that provide authentication and authorization for network end users and host machines via Active Directory.

In Access Control, you can create an Advanced AAA configuration that contains one mapping rule for your host machines and two mapping rules for your users. These mappings are the same except for their LDAP configuration. You need to create two LDAP configurations: one for the hosts mapping and one for the users mapping. The LDAP configurations are identical except for the User Search Attribute. When you have completed these instructions, Access Control uses the new AAA configuration to authenticate both end users and host machines via your Active Directory server.

  1. Select Control > Access Control > Configuration tab.
  2. In the left-panel tree, select the AAA tab to open the AAA Configuration window to the right.
  3. Select the Add button in the AAA Configuration panel create a new AAA Configuration.
  4. Select LDAP Configuration in the left-panel tree to open the LDAP Configuration window.
  5. Create an LDAP configuration for use with end users that authenticate to the network using the sample below as a guide. Select Save.



  6. Open the Add LDAP Configuration window to add another LDAP configuration that will be used for host machines that authenticate to the network using the sample below as a guide. Note that the only difference between the two LDAP configurations is the User Search Attribute. Select Save.

    Add LDAP Configuration Window

  7. In the left-panel tree, select an AAA Configuration to open the Advanced AAA Configuration window.
  8. In the Authentication Rules panel of the Advanced AAA Configuration window, select the Add button to open the Add User to Authentication Mapping window.
  9. Create your first mapping rule to capture machine authentications using the sample below as a guide. In the example below, host/*.nac2003.com captures the machine authentications for the NAC2003 active directory domain. Be sure to select the host LDAP Configuration you create. Select OK.

    Add User to Authentication Mapping Window

  10. Create your second mapping rule to capture end user authentications using the sample below as a guide. In the example below, *@nac2003.com captures all users logging in to the NAC2003 active directory domain when they authenticate with their username in the format <username>@<domain>. Be sure to select the end user LDAP Configuration you create. SelectOK.

    Add User to Authentication Mapping Window

  11. Create your third mapping rule to capture other end user authentications using the sample below as a guide. In the example below, NAC2003\* captures all users logging in to the NAC2003 active directory domain when they authenticate with their username in the format <domain>\<username>. Be sure to select the end user LDAP Configuration you create. Select OK.

    12. Add User to Authentication Mapping Window

  12. In the left-panel tree, select an AAA Configuration to open the Advanced AAA Configuration window. Use the Up and Down buttons to move your new mappings above the "Any" mappings in the list of mappings. Select Save.

You can configure your LDAP policy mappings and/or LDAP user groups based on the attributes from either your host or user LDAP configurations.

Related Information

For information on related help topics: