Cisco Secure ACS 5.x and Apple OSX Directory (LDAP)

For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.

To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.

Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.

The following screenshots show the LDAP connector for an Apple Directory Service.

The first screenshot shows the initial configuration of the ldap connection. This is pretty straightforward. I use a secure connection, and I recommend you doing the same. This way the information exchange between the ACS and the LDAP is always encrypted. For testing purposes this is usually left out.

Initial Connection SettingsNext comes the 'different' part. The default values of the 'Group Objectclass' and 'Group Map Attribute' are different from what is displayed in the screenshot. The information needed for a correct Apple Directory connection are:

Group Objectclass: apple-group
Group Map Attribute: memberUid

The other difference is that the 'Subjects In Groups Are Stored In Member Attribute As:' should be changed to 'username' instead of 'distinguished name'.
The Subject (and Group) Search Base are, again, straightforward (basic LDAP functionality).

Settingof the User and Group attributes and the search DN'sHitting the 'Test configuration' button should display a pop-up showing at least some users and groups that were found in the LDAP.

Finally, you can select Directory groups that can be used in the RADIUS (or TACACS) policies on the ACS.

Selection of Directory Groups in your ACS policies

Now, everything is ready to start experimenting with RADIUS (and/or TACACS).

Posted on March 1, 2011 by Willem and filed under Apple, Security, Software, Tips'n Tricks and tagged ACS Cisco Directory Service LDAP.