Cisco Cisco ScanSafe Wi-Fi Hotspot Security White Paper
Cisco CWS
– ASA 5500 Deployment Guide
12
Test
Deploy
Prepare
Of these four sections there are two aaa-server groups to configure, one for domain controllers and
another for the Context Directory Agent (CDA), a group of user-identity configurations, and additional
user-identity monitor configurations for group discovery.
another for the Context Directory Agent (CDA), a group of user-identity configurations, and additional
user-identity monitor configurations for group discovery.
The first aaa-server group is for group lookups. It defines the domain controller, where to begin LDAP
queries, whether or not to “walk the tree”, the type of directory, the port number LDAP queries will be
performed on, the distinguished name of the service account, and the service account password.
queries, whether or not to “walk the tree”, the type of directory, the port number LDAP queries will be
performed on, the distinguished name of the service account, and the service account password.
Figure 2.14
The second aaa-server group configures the aaa-server group for CDA, allowing it to receive username
to IP mapping updates from a CDA. The primary CDA is defined as the CDA host and shared secret if
more than one CDA is used in the environment.
to IP mapping updates from a CDA. The primary CDA is defined as the CDA host and shared secret if
more than one CDA is used in the environment.
Figure 2.15
Next is a group of user-identity configurations which define how username to IP mappings and groups are
handled on the ASA. When the domain is not explicitly defined for users or groups it defaults to the
default domain. The inactive user timeout defines when a username to IP address mapping is no longer
cached and requires an update from the CDA.
handled on the ASA. When the domain is not explicitly defined for users or groups it defaults to the
default domain. The inactive user timeout defines when a username to IP address mapping is no longer
cached and requires an update from the CDA.
Figure 2.16
NetBIOS response fail defines the action to take when a client does not respond to a NetBIOS probe.