18-38
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
18






Administering

the

Cisco

Application

Networking

Manager
Using
an

AAA

Server

for

Remote

User

Authentication

and

Authorization
Using
an

AAA

Server

for

Remote

User

Authentication

and
Authorization
ANM
allows

you

to

centrally

control

user

authentication

and

authorization.

User

authentication,

which
manages
access

to

ANM,

can

be

performed

locally

using

a

database

that

resides

in

ANM

or

remotely
using
a

database

that

resides

on

an

AAA

server,

such

as

an

Active

Directory

(AD)

server

using

LDAPS,
RADIUS,
or

TACACS+.

In

ANM,

you

can

configure

authentication

for

your

users

by

specifying

which
AAA
servers

are

used

for

specific

users.

You

configure

authentication

through

organizations.

An
organization
allows

you

to

configure

your

AAA

server

lookup

for

your

users

and

then

associate

specific
users,
roles,

and

domains

with

those

organizations.
User
authorization,

which

manages

access

to

different

ANM

functionality,

can

also

be

performed

locally
using
a

database

that

resides

in

ANM

or

remotely

using

a

database

that

resides

on

a

TACACS+

server.
ANM
supports

the

use

of

a

TACACS+

server

only

for

remote

authorization.
The
information

provided

in

this

section

is

intended

as

a

guide

to

help

you

ensure

proper

communication
with
the

AAA

server

and

ANM

operating

as

the

AAA

client.

For

details

about

configuring

the

Cisco
Secure
ACS,

Active

Directory,

or

another

AAA

server,

see

the

documentation

that

is

provided

with

the
software.
This
section

includes

the

following

topics:


Information
About

Using

AD/LDAPS

for

Remote

User
Authentication,
page
18-38


Configuring
Remote

User

Authentication

Using
a
TACACS+

Server,

page
18-39


Configuring
Remote
User
Authorization
Using

a

TACACS+

Server,

page
18-45
Information
About

Using

AD/LDAPS

for

Remote

User

Authentication
This
section

describes

how

ANM

uses

AD/LDAPS

for

remote

user

authentication.

ANM

performs

the
following
steps

to

authenticate

and

authorize

a

user

when

configured

to

use

AD/LDAPS

for

user
authentication:
1.
ANM
verifies

that

the
user
organization

exists

locally

on

the
ANM

database.

ANM

makes

this
determination
based

on

the

part

of

the

user

login

name

that

follows

the

@

character.
2.
ANM
uses

the

configured

AD

server

to

authenticate

the

user.
3.
ANM
authorizes

the

user

locally.

ANM

verifies

that
the
user’s
name
is

associated

with

one

of

the
defined
roles

in

the

Roles

table

(Admin

>

Role-Based

Access

Control

>

Organization

>

Roles).
After
ANM

completes

these

three

steps,

the

user

is

permitted

access

according

to

their

account

settings
in
the

Roles

table

and

Domains

table

(Admin

>

Role-Based

Access

Control

>

Organization

>

Domains).
If
any

of

the

authentication

and

authorization

checks

fail,

ANM

logs

the

error

in

the

audit

log

(Admin

>
ANM
Management

>

ANM

Change

Audit

Log).
One
of

the

following

error

messages

display

depending

on

when

the

failure

occurs:


If
Step

1

fails,

the

message
is
as

follows:
User
authentication

failed:

Organization

<org_name>

does

not

exist.


If
Step

2

fails,

the

message
is
as

follows:
User
authentication

failed:

...

,

reason=User

password

check

failed

-

error

code

XXX

-
<error_description>.