Ldap Operation For User Login - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
LDAP Operation for User Login
You can configure the bind operation to first bind and then search, where authentication is performed first
and authorization next, or to first search and then bind. The default method is to first search and then bind.
The advantage of searching first and binding later is that the distinguished name (DN) received in the search
result can be used as the user DN during binding rather than forming a DN by prepending the username (cn
attribute) with the baseDN. This method is especially helpful when the user DN is different from the username
plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where
append-with-baseDN has a default value of cn=$userid.
Note
As an alternative to the bind method, you can establish LDAP authentication using the compare method,
which compares the attribute values of a user entry at the server. For example, the user password attribute can
be compared for authentication. The default password attribute type is userPassword.
LDAP Operation for User Login
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using LDAP,
the following actions occur:
1. When the Cisco NX-OS device establishes a connection, it contacts the LDAP daemon to obtain the
username and password.
2. The Cisco NX-OS device eventually receives one of the following responses from the LDAP daemon:
After authentication, the user also undergoes an additional authorization phase if authorization has been
enabled on the Cisco NX-OS device. Users must first successfully complete LDAP authentication before
proceeding to LDAP authorization.
3. If LDAP authorization is required, the Cisco NX-OS device again contacts the LDAP daemon, and it
returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that
are used to direct the EXEC or NETWORK session for that user and determines the services that the user
can access. Services include the following:
Note
LDAP allows an arbitrary conversation between the daemon and the user until the daemon receives enough
information to authenticate the user. This action is usually done by prompting for a username and password
combination but may include prompts for other items.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
106
• ACCEPT—User authentication succeeds and service begins. If the Cisco NX-OS device requires
user authorization, authorization begins.
• REJECT—User authentication fails. The LDAP daemon either denies further access to the user or
prompts the user to retry the login sequence.
• ERROR—An error occurs at some time during authentication either at the daemon or in the network
connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives
an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating
the user.
• Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
• Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user
timeouts
Configuring LDAP
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
