Configuring Security Features on an External AAA Server
Note
As an alternative to the bind method, you can establish LDAP authentication using the compare method,
which compares the attribute values of a user entry at the server. For example, the user password attribute can
be compared for authentication. The default password attribute type is userPassword.
Guidelines and Limitations for LDAP
LDAP has the following guidelines and limitations:
• You can configure a maximum of 64 LDAP servers on the Cisco NX-OS device.
• Cisco NX-OS supports only LDAP version 3.
• Cisco NX-OS supports only these LDAP servers:
• LDAP over Secure Sockets Layer (SSL) supports only SSL version 3 and Transport Layer Security (TLS)
• If you have a user account configured on the local Cisco NX-OS device that has the same name as a
• A Cisco MDS switch will assign a local role to remote users when LDAP uses remote authentication
Prerequisites for LDAP
LDAP has the following prerequisites:
• Obtain the IPv4 or IPv6 addresses or hostnames for the LDAP servers.
• OpenLDAP
• Microsoft Active Directory
version 1.
remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local
user account to the remote user, not the user roles configured on the AAA server.
protocol, if all the following conditions are met:
• The remote username on the LDAP server has the same name as the local user on the Cisco MDS
switch. (For example, "test" is the username on the AD server and "test" is the username created
on the local Cisco MDS switch)
• The LDAP server is configured as AAA authentication on the Cisco MDS switch.
• The role assigned for the local user and the remote user is different.
Consider the following example where the LDAP server has the username "test" which is a member of
the AD group "testgroup". The Cisco MDS switch has a role configured with the name "testgroup" which
has certain permit roles assigned to it. This role is created in the Cisco MDS switch for remote users who
login into switch using LDAP. The Cisco MDS switch also has a local username "test" and it has
"network-admin" as the assigned role. The Cisco MDS switch is configured for AAA authentication and
uses LDAP as an authentication protocol. In this scenario, if a user logs into the Cisco MDS switch using
the username "test", the switch authenticates the user using LDAP authentication (it uses the password
of the user "test" created on the AD server). But, it assigns the role "network-admin", which is assigned
to the local user "test", and not the "testgroup" role that is assinged to the remote authenticated user.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Guidelines and Limitations for LDAP
43