Guest

Cisco Application and Content Networking System (ACNS) Software

Configuring HTTP Request Authentication with CE Running ACNS 5.0.1 and Microsoft Active Directory

Cisco - Configuring HTTP Request Authentication with CE Running ACNS 5.0.1 and Microsoft Active Directory

Document ID: 42000

Updated: Sep 22, 2004

   Print

Introduction

This sample configuration shows you how to set up a Cisco Content Engine to perform an Active Directory Lightweight Directory Access Protocol (LDAP) database search to allow/restrict users to access web resources.

An Active Directory database is a user database of a Windows 2000 server. This database can be queried for authentication purposes by LDAP protocols. Typically, a Content Engine LDAP client queries an LDAP server's user database and obtains the user's credentials, such as user's account expiration, privileges, and groups to which the user belongs. In Cisco Application and Content Networking System (ACNS) 5.0 software, the Content Engine LDAP client is also allowed to authenticate and authorize a user configured in a remote Active Directory in a Windows 2000 server database.

To use Miscrosoft Active Directory as the LDAP server for authentication with Content Engine, there are some specific steps you must take. By default, Microsoft Active Directory does not allow anonymous LDAP queries. To make LDAP queries or browse the directory, an LDAP client must bind to the LDAP server using the Distinguished Name (DN) of an account that belongs to the Administrator group of the Windows system.

To set up Microsoft Active Directory as your LDAP server, you need to determine the full DN and password of an account in the Administrators group. For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows NT/2000 control panel and the DNS domain is sns.cisco.com, the resulting DN has the following structure: cn=<adminUsername>, cn=users, dc=sns, dc=cisco, dc=com

LDAP was invented to preserve the best qualities offered by X.500 while reducing the administrative costs. LDAP provides an open directory access protocol running over TCP/IP. It retains the X.500 data model and it is scalable to a global size and millions of entries for a modest investment in hardware and network infrastructure. The result is a global directory solution that is affordable enough to be used by small organizations, but which also can be scaled to support the largest of enterprises.

An LDAP-enabled Cache Engine / Content Engine authenticates users with an LDAP server. With an HTTP query, the Content Engine obtains a set of credentials from the user (user ID and password), and compares them against those in an LDAP server. When the Content Engine authenticates a user through the LDAP server, a record of that authentication is stored locally in the Content Engine RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups. The default is 480 minutes, the minimum is 30 minutes, and the maximum is 1440 minutes (24 hours). This is the time interval between the user's last Internet access and the removal of that user's entry from the authorization cache, forcing re-authentication with the LDAP server.

The Cache Engine supports LDAP authentication for both proxy mode and transparent (WCCP) mode access. In proxy mode, the Cache Engine uses the client's userid as a key for the authentication database, while in transparent mode, the Cache Engine uses the client's IP address as a key for the authentication database. The Cache Engine uses simple (nonencrypted) authentication to communicate with the LDAP server.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Content Engine 7325 running ACNS 5.0.1

  • Microsoft Windows 2000 Advance Server with Active Directory

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configurations

Cisco Content Engine 7325 (Cisco ACNS software release 5.0.1)
hostname V5CE7325
!
!
http authentication cache timeout 5
http proxy incoming 80 8080 
!
ip domain-name cisco.com
!
interface GigabitEthernet 1/0
 ip address 10.48.67.23 255.255.254.0
 exit
interface GigabitEthernet 2/0
 shutdown
 exit
!
!
ip default-gateway 10.48.66.1
!
primary-interface GigabitEthernet 1/0
!
!
no auto-register enable
!
!
multicast accept-license-agreement
!
!
ip name-server 10.48.66.123
 
username admin password 1 CfxnDoKDWrBds
username admin privilege 15
!
 
ldap server base "dc=sns,dc=cisco,dc=com"


!--- This is the base DN of the starting point for 
!--- the search in the LDAP database.

ldap server userid-attribute cn


!—-- Searching for the CN of the user.

ldap server host 10.48.66.217 primary


!--- The LDAP server's IP address number.

ldap server administrative-dn "cn=Administrator,cn=users,dc=sns,dc=cisco,dc=com"


!--- This is the DN of the admin user.

ldap server administrative-passwd ****


!--- This is the password for the admin-user.

ldap server version 3


!—-- Use LDAP version 3 for active directory.

ldap server active-directory-group enable


!—-- Allows users based on their group memberships.

ldap server enable
!
authentication login local enable primary
authentication configuration local enable primary
!
access-lists 300 permit groupname internet
access-lists 300 deny groupname any


!—-- Defines what user groups are allowed.

!
access-lists enable
!
!
cdm ip 10.48.67.25
cms enable
!
!
end

Verify

This section provides information you can use to confirm your configuration is working properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • show ldap—This command shows the details of the configuration. Sample command output is shown below.

            Allow mode:     disabled
            Base DN:        dc=sns,dc=cisco,dc=com
            Filter:         <none>
            Retransmits:    2
            Timeout:        5 seconds
            UID Attribute:  cn
            Group Attribute:         memberOf
            Administrative DN:       cn=Administrator,cn=users,dc=sns,dc=cisco,dc=com
            Administrative Password: ****
            LDAP version:   3
            LDAP port:      389
            Server            Status   
            ---------------   ---------
            10.48.66.217      primary
            <none>            secondary
  • show access-lists—This command shows the Access Control Lists (ACLs) that are enabled.

  • show http-authcache—This command displays authentication cache. Sample command output is shown below.

    V5CE7325#sh http-authcache 
    Apr 10 10:08:03 V5CE7325 -admin-shell: 
       %CE-PARSER-6-350232:CLI_LOG:sh http-authcache  
    AuthCache
    =====================
    hash   835 : uid: gdufour nBkt: (nil) nLRU: (nil) pLRU: (nil)
    lacc: 70 ipAddr: 144.254.9.45 keyType: UidPwd Based filterTp: 0 authUsed: 1
  • debug https header trace—This command allows you to view and troubleshoot the request received by the Content Engine.

  • debug authentication http-request—This command allows you to view and troubleshoot the authentication process. Sample command outputs are shown below.

    Successful authentication

    V5CE7325#Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_authenticate:2498 
       ***pam_ldap: Begin 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_authenticate:2502 
       *** pam_ldap: Got username gdufour 
    Apr 10 10:17:33 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:17:33 V5CE7325 http_authmod: _read_config:570 
       ***pam_ldap: Reading configuration 
    Apr 10 10:17:33 V5CE7325 http_authmod: ldap_server_validate:1928 
       ***pam_ldap: === Host[0] 10.48.66.217 ===
    Apr 10 10:17:33 V5CE7325 http_authmod: ldap_server_isalive:1851 
       ***pam_ldap: Connecting... 
    Apr 10 10:17:33 V5CE7325 http_authmod: ldap_server_isalive:1867 
       ***pam_ldap: Socket timeout 5 
    Apr 10 10:17:33 V5CE7325 http_authmod: ldap_server_isalive:1891 
       ***pam_ldap: Connected to 10.48.66.217
    Apr 10 10:17:33 V5CE7325 http_authmod: ldap_server_validate:1948 
       ***pam_ldap: ServerAlive [1] (up=1, down=0) 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_authenticate:2508 
       *** pam_ldap: Got session 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_authenticate:2519 
       *** pam_ldap: Do authentication 
    Apr 10 10:17:33 V5CE7325 http_authmod: _get_user_info:1672 
       *** pam_ldap: Begin user gdufour 
    Apr 10 10:17:33 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:17:33 V5CE7325 http_authmod: _connect_anonymously:1063 
       *** pam_ldap: Open session 
    Apr 10 10:17:33 V5CE7325 http_authmod: _open_session:927 
       *** pam_ldap: Begin
    Apr 10 10:17:33 V5CE7325 http_authmod: _connect_anonymously:1074 
       *** pam_ldap: Binding... 
    Apr 10 10:17:33 V5CE7325 http_authmod: _get_user_info:1676 
       *** pam_ldap: Connected anonymously 
    Apr 10 10:17:33 V5CE7325 http_authmod: _get_user_info:1699 
       *** pam_ldap: Filter (cn=gdufour) 
    Apr 10 10:17:33 V5CE7325 http_authmod: _get_user_info:1754 
       *** pam_ldap: 
       after ldap_get_dn userdn CN=gdufour,CN=Users,DC=sns,DC=cisco,DC=com 
    Apr 10 10:17:33 V5CE7325 http_authmod: _get_user_info:1765 
       *** pam_ldap: internet
    Apr 10 10:17:33 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:17:33 V5CE7325 http_authmod: _connect_anonymously:1074 
       *** pam_ldap: Binding... 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_authenticate:2522 
       *** pam_ldap: Done authentication SUCCESS 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_acct_mgmt:2967 
       *** pam_ldap: === Authorization Begin ===  
    Apr 10 10:17:33 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_acct_mgmt:3134 
       *** pam_ldap: === Groups ===  
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_acct_mgmt:3138 
       *** pam_ldap: sGroup internet
    Apr 10 10:17:33 V5CE7325 http_authmod: pam_sm_acct_mgmt:3182 
       *** pam_ldap: === After Groups === 

    Failed request when the user is not a member of Internet group

    V5CE7325#Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2498 
       ***pam_ldap: Begin 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2502 
       *** pam_ldap: Got username Jeevan 
    Apr 10 10:23:35 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:23:35 V5CE7325 http_authmod: _read_config:570 
       ***pam_ldap: Reading configuration 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_validate:1928 
       ***pam_ldap: === Host[0] 10.48.66.217 ===
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1851 
       ***pam_ldap: Connecting... 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1867 
       ***pam_ldap: Socket timeout 5 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1891 
       ***pam_ldap: Connected to 10.48.66.217
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_validate:1948 
       ***pam_ldap: ServerAlive [1] (up=1, down=0) 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2508 
       *** pam_ldap: Got session 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2519 
       *** pam_ldap: Do authentication 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1672 
       *** pam_ldap: Begin user Jeevan 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1063 
       *** pam_ldap: Open session 
    Apr 10 10:23:35 V5CE7325 http_authmod: _open_session:927 
       *** pam_ldap: Begin
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1074 
       *** pam_ldap: Binding... 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1676 
       *** pam_ldap: Connected anonymously 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1699 
       *** pam_ldap: Filter (cn=Jeevan) 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1754 
       *** pam_ldap: 
       after ldap_get_dn userdn CN=Jeevan,CN=Users,DC=sns,DC=cisco,DC=com 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_group_string:1467 
       *** pam_ldap: There is no attribute memberOf
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1765 
       *** pam_ldap: 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1074 
       *** pam_ldap: Binding... 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2522 
       *** pam_ldap: Done authentication SUCCESS 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_acct_mgmt:2967 
       *** pam_ldap: === Authorization Begin ===  
    Apr 10 10:23:35 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_acct_mgmt:3134 
       *** pam_ldap: === Groups ===  
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_acct_mgmt:3138 
       *** pam_ldap: sGroup 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_acct_mgmt:3182 
       *** pam_ldap: === After Groups ===  
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2498 
       ***pam_ldap: Begin 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2502 
       *** pam_ldap: Got username Jeevan 
    Apr 10 10:23:35 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:23:35 V5CE7325 http_authmod: _read_config:570 
       ***pam_ldap: Reading configuration 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_validate:1928 
       ***pam_ldap: === Host[0] 10.48.66.217 ===
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1851 
       ***pam_ldap: Connecting... 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1867 
       ***pam_ldap: Socket timeout 5 
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_isalive:1891 
       ***pam_ldap: Connected to 10.48.66.217
    Apr 10 10:23:35 V5CE7325 http_authmod: ldap_server_validate:1948 
       ***pam_ldap: ServerAlive [1] (up=1, down=0) 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2508 
       *** pam_ldap: Got session 
    Apr 10 10:23:35 V5CE7325 http_authmod: pam_sm_authenticate:2519 
       *** pam_ldap: Do authentication 
    Apr 10 10:23:35 V5CE7325 http_authmod: _get_user_info:1672 
       *** pam_ldap: Begin user Jeevan 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:23:35 V5CE7325 http_authmod: _connect_anonymously:1063

    Failed request when the user does not exist in the LDAP database

    V5CE7325#Apr 10 10:26:31 V5CE7325 http_authmod: pam_sm_authenticate:2498 
       ***pam_ldap: Begin 
    Apr 10 10:26:31 V5CE7325 http_authmod: pam_sm_authenticate:2502 
       *** pam_ldap: Got username Patrick 
    Apr 10 10:26:31 V5CE7325 http_authmod: _pam_ldap_get_session:1977 
       *** pam_ldap: Begin 
    Apr 10 10:26:31 V5CE7325 http_authmod: _read_config:570 
       ***pam_ldap: Reading configuration 
    Apr 10 10:26:31 V5CE7325 http_authmod: ldap_server_validate:1928 
       ***pam_ldap: === Host[0] 10.48.66.217 ===
    Apr 10 10:26:31 V5CE7325 http_authmod: ldap_server_isalive:1851 
       ***pam_ldap: Connecting... 
    Apr 10 10:26:31 V5CE7325 http_authmod: ldap_server_isalive:1867 
       ***pam_ldap: Socket timeout 5 
    Apr 10 10:26:31 V5CE7325 http_authmod: ldap_server_isalive:1891 
       ***pam_ldap: Connected to 10.48.66.217
    Apr 10 10:26:31 V5CE7325 http_authmod: ldap_server_validate:1948 
       ***pam_ldap: ServerAlive [1] (up=1, down=0) 
    Apr 10 10:26:31 V5CE7325 http_authmod: pam_sm_authenticate:2508 
       *** pam_ldap: Got session 
    Apr 10 10:26:31 V5CE7325 http_authmod: pam_sm_authenticate:2519 
       *** pam_ldap: Do authentication 
    Apr 10 10:26:31 V5CE7325 http_authmod: _get_user_info:1672 
       *** pam_ldap: Begin user Patrick 
    Apr 10 10:26:31 V5CE7325 http_authmod: _connect_anonymously:1059 
       *** pam_ldap: Host 10.48.66.217 
    Apr 10 10:26:31 V5CE7325 http_authmod: _connect_anonymously:1063 
       *** pam_ldap: Open session 
    Apr 10 10:26:31 V5CE7325 http_authmod: _open_session:927 
       *** pam_ldap: Begin
    Apr 10 10:26:31 V5CE7325 http_authmod: _connect_anonymously:1074 
       *** pam_ldap: Binding... 
    Apr 10 10:26:31 V5CE7325 http_authmod: _get_user_info:1676 
       *** pam_ldap: Connected anonymously 
    Apr 10 10:26:31 V5CE7325 http_authmod: _get_user_info:1699 
       *** pam_ldap: Filter (cn=Patrick) 
    Apr 10 10:26:31 V5CE7325 http_authmod: pam_sm_authenticate:2522 
       *** pam_ldap: Done authentication FAILURE

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Sep 22, 2004
Document ID: 42000