Configuring Mutual Authentication for LDAP

Before you begin

Install or import the certificates for the LDAP client.

At least one LDAP server must be configured on the device using the ldap-server host command.

About this task

To configure Mutual Authentication do the following:

Procedure

  1. Import the LDAP client certificate. Use the following command.
    crypto ca import-pkcs type pkcs12 cert-type ldap-client protocol FTP directory /mydir-name 
         file /myfile-name source-ip 10.11.12.13 user user-name password password 
  2. Import the LDAP server CA certificates.
    crypto import ldapca directory /mydir-name file /myfile-name host 10.11.12.13 user user-name password password​
  3. Configure the LDAP server and AAA authentication. Navigate to the global configuration mode. This configures a LDAP server with IP 10.11.12.13 with port 636.
    SLX (config)# ldap-server host 10.11.12.13 use-vrf mgmt-vrf
    SLX (config)# port 636  
  4. Enable LDAP security.
    SLX (config)#  ldaps
  5. Configure AAA globally.
     SLX(config)# aaa authentication login ldap local-auth-fallback

Example

The following example shows the complete configuration of LDAP server for Mutual Authentication.

SLX # configure terminal
SLX(config)# 
SLX(config)# ldap-server host 10.11.12.13 use-vrf mgmt-vrf
SLX(config)# port 636
SLX(config)# ldaps
SLX(config)# basedn myfedcert.local
SLX(config)# aaa authentication login ldap local-auth-fallback
SLX(config)# aaa accounting exec default start-stop none
SLX(config)# aaa accounting commands default start-stop none
SLX(config)# aaa authorization command none