Cisco NAC Appliance (Clean Access)

NAC: Configure the LDAP Over SSL on the Clean Access Manager (CAM)

Document ID: 107322

Updated: Jun 02, 2008



This document describes how to configure the Lightweight Directory Access Protocol (LDAP) over SSL on the Clean Access Manager (CAM).



This configuration is applicable to the CAM version 3.5 and later.

Components Used

The information in this document is based on the Clean Access Manager version 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.


In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Steps to Configure LDAP over SSL on CAM

Complete these steps:

  1. Obtain the root certificate of the untrusted CA which has issued the certificate to the Domain Controller and place it on your desktop.

    1. Choose Administrator > CAM > SSL certificate, and then browse and upload the Root CA certificate as Trust Non-Standard CA .


    2. Click Verify and install the Root CA certificate.

  2. Configure the LDAP server on the CAM.

    1. Choose User Management > Auth Servers and choose New.

    2. Choose LDAP as the Authentication type.

    3. Choose ldaps://ip.address:636 as the Server URL.

    4. Choose SSL as the Security Type.

    5. Choose Handle (Follow)! as the Referral. This option is set for the Partition Domain Environment, for example, Root and Child Domains.

    6. Admin privilege user and password is required to successfully bind the CAM (ldap client) to the LDAP server.


  3. Obtain the certificate on the Domain Controller (DC).

    When you request a certificate for DC, make sure to put the CN as Active Directory fully qualified domain name. LDAPS certificate is located in the personal certificate store of the local computer. Refer to How to enable LDAP over SSL with a third-party certification authority for more information.

  4. Configure the Domain Controller for SSL.

    1. On your DC, choose Start > All Programs > Administrative Tools > Active Directory Users and Computer.

    2. In the Active Directory Users and Computers window, right-click on your domain name and choose Properties.

    3. In the Domain Properties dialog box, choose the Group Policy tab.

    4. Choose the Default Domain Policy group policy and then click Edit.

    5. Choose Computer Configuration > Windows Settings.

    6. Choose Security Settings and then choose Public Key Policies.

    7. Choose Automatic Certificate Request Settings.

    8. Use the wizard in order to add a policy for Domain Controllers as in this example:


  5. Verify the Domain Controller for LDAP over SSL.

    On your DC, choose Start > Run and type ldp.exe. From the Connection Menu, click Connect and fill in the values for the server and port. This verifies that the LDAP over SSL is configured correctly on DC.


  6. Choose User Management > Auth Servers > AUTH Test tab in order to verify the CAM LDAPS configuration.



There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jun 02, 2008
Document ID: 107322