Configuring Security Features on an External AAA Server
To configure the LDAP server groups, follow these steps:
Procedure
Step 1
switch# configure terminal
switch(config)#
Enters global configuration mode.
Step 2
switch(config)# aaa group server ldap LDAPServer1
switch(config-ldap)#
Creates an LDAP server group and enters the LDAP server group configuration mode for that group.
Step 3
switch(config-ldap)# server 10.10.2.2
Configures the LDAP server as a member of the LDAP server group.
If the specified LDAP server is not found, configure it using the ldap-server host command and retry this
command.
Step 4
switch(config-ldap)# authentication compare password-attribute TyuL8r
(Optional) Performs LDAP authentication using the bind or compare method. The default LDAP authentication
method is the bind method using first search and then bind.
Step 5
switch(config-ldap)# enable user-server-group
(Optional) Enables group validation. The group name should be configured in the LDAP server. Users can
login through public-key authentication only if the username is listed as a member of this configured group
in the LDAP server.
Step 6
switch(config-ldap)# enable Cert-DN-match
(Optional) Enables users to login only if the user profile lists the subject-DN of the user certificate as authorized
for login.
Step 7
switch(config)# exit
switch#
Exits configuration mode.
Step 8
switch# show ldap-server groups
(Optional) Displays the LDAP server group configuration.
Step 9
switch# show run ldap
(Optional) Displays the LDAP configuration.
Step 10
switch# copy running-config startup-config
(Optional) Copies the running configuration to the startup configuration.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Configuring LDAP Server Groups
47