Ldap Failover - Cisco 2509 - Router - EN User Manual

Generic LDAP

LDAP Failover

User Guide for Cisco Secure ACS for Windows Server
11-20
each for prefixed and suffixed domain qualifiers. To support more than one
type of domain-qualifier delimiting character, you can create more than one
LDAP configuration in Cisco Secure ACS.
Allowing usernames of any domain but stripping domain qualifiers is useful
when the LDAP server stores usernames in a non-domain qualified format but
the AAA client or end-user client submits the username to Cisco Secure ACS
in a domain-qualified format.
Note With this option, Cisco Secure ACS submits usernames that are
non-domain qualified, too. Usernames are not required to be domain
qualified to be submitted to an LDAP server.
Cisco Secure ACS supports failover between a primary server and secondary
LDAP server. In the context of LDAP authentication with Cisco Secure ACS,
failover applies when an authentication request fails because Cisco Secure ACS
could not connect to an LDAP server, such as when the server is down or is
otherwise unreachable by Cisco Secure ACS. To use this feature, you must define
the primary and secondary LDAP servers on the LDAP Database Configuration
page. Also, you must select the On Timeout Use Secondary check box. For more
information about configuring an LDAP external user database, see
a Generic LDAP External User Database, page
If the On Timeout Use Secondary check box is selected, and if the first LDAP
server that Cisco Secure ACS attempts to contact cannot be reached,
Cisco Secure ACS always attempts to contact the other LDAP server. The first
server Cisco Secure ACS attempts to contact may not always be the primary
LDAP server. Instead, the first LDAP server that Cisco Secure ACS attempts to
contact depends on the previous LDAP authentication attempt and on the value
specified in the Failback Retry Delay box.
Chapter 11 Working with User Databases
11-28.
78-14696-01, Version 3.1
Configuring