The Blue Cedar Connect Gateway can authenticate users using an LDAP or LDAPS server. For a full description of available configuration attributes, see your LDAP documentation.
To configure an LDAP server for the gateway to authenticate its users:
- Set the auth-provider type as ldap.
- Set the name and URL of the ldap or server.
- Set the search base (base-dn).
- Set the account and password to authenticate (bind) to the LDAP directory.
% set aaa auth-provider ldap name_of_server server-url url
You can specify other LDAP attributes, too.
|ldap name_of_server||Required. Text string identifying the LDAP server|
Required. URL for the LDAP server. The protocol can be either ldap or ldaps (SSL-secured LDAP).
If the url starts with ldaps, the Gateway tries to validate the LDAP server identity certificate. This identity certificate must be signed by a trusted certificate, and the trusted certificate must be configured on the gateway. See Configuring AAA Public Key Infrastructure for information about configuring the trusted certificate.
For LDAPS, the URL must match the CN or SAN in the server identity certificate for proper verification.
LDAP server type. Values:
Use with server-url to specify URLs for backup LDAP servers when the primary server-url is unreachable. For example:
Required. The distinguished name (dn) used as the base for the search. This is a comma-delimited list of subject attributes. (dc == domain component).
Required. The distinguished name used to bind to the LDAP directory. This is typically the username/credential corresponding to the service.
|bind-password string||Required. Password for the bind-dn account.|
If using LDAPS (LDAP over SSL):
LDAP attribute to retrieve email address for LDAP authentication.
Default: mail, which should be suitable for most deployments.
Required to use enroll-pin with LDAP authentication, otherwise optional.
|upn-attr||Optional. LDAP attribute to retrieve User Principal Name (UPN). Can be used to include custom LDAP attributes in certificate enrollment request templates and post-authentication policy rules.|
Add a custom named attribute to established tunnel sessions. Possible values:
After naming the attribute, specify whether it's basic or substitution, and then specify the value.
When enabled, save debug logs to a file.
To show the log, use the file show command in operational mode:
Setting a custom local group for LDAP
This example shows how to:
- Extract the "customGroup" LDAP attribute as the local group to use for authorization.
- Allow users with a customGroup of "admins" administrative access to the gateway.
- Allow users with a customGroup of "engineers" to connect with jailbroken devices.
- Disallow anyone not in either group from having administrative access or connecting with a jailbroken device.
% set aaa auth-provider ldap myldap custom-attr AUTH_PROVIDER_GROUP basic value customGroup % set aaa auth-provider local group admins administrator true jailbreak-permitted false % set aaa auth-provider local group engineers administrator false jailbreak-permitted true % set aaa auth-provider local group default administrator false jailbreak-permitted false