1-7
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring AAA Servers and the Local Database
  Information About AAA
• Kerberos—The ASA responds to the LDAP server by sending the username and realm using the 
GSSAPI Kerberos mechanism.
You can configure the ASA and LDAP server to support any combination of these SASL mechanisms. 
If you configure multiple mechanisms, the ASA retrieves the list of SASL mechanisms that are 
configured on the server and sets the authentication mechanism to the strongest mechanism configured 
on both the ASA and the server. For example, if both the LDAP server and the ASA support both 
mechanisms, the ASA selects Kerberos, the stronger of the mechanisms.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the 
authenticated user. For VPN authentication, these attributes generally include authorization data that is 
applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single 
step.
LDAP Server Types
The ASA supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System 
Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory, 
Novell, OpenLDAP, and other LDAPv3 directory servers.
By default, the ASA auto-detects whether it is connected to Microsoft Active Directory, Sun LDAP, 
Novell, OpenLDAP, or a generic LDAPv3 directory server. However, if auto-detection fails to determine 
the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP server, you 
can manually configure the server type.
When configuring the server type, note the following guidelines:
• The DN configured on the ASA to access a Sun directory server must be able to access the default 
password policy on that server. We recommend using the directory administrator, or a user with 
directory administrator privileges, as the DN. Alternatively, you can place an ACL on the default 
password policy.
• You must configure LDAP over SSL to enable password management with Microsoft Active 
Directory and Sun servers.
• The ASA does not support password management with Novell, OpenLDAP, and other LDAPv3 
directory servers.
• The ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust 
relationship (bind) with an LDAP server. For more information, see the “Binding the ASA to the 
LDAP Server” section on page 1-4.