Install or import the certificates for the LDAP client.
At least one LDAP server must be configured on the device using the ldap-server host
command.
To configure Mutual Authentication do the following:
-
Import the LDAP client
certificate. Use the following command.
crypto ca import-pkcs type pkcs12 cert-type ldap-client protocol FTP directory /mydir-name
file /myfile-name source-ip 10.11.12.13 user user-name password password
-
Import the LDAP server CA
certificates.
crypto import ldapca directory /mydir-name file /myfile-name host 10.11.12.13 user user-name password password​
-
Configure the LDAP server and
AAA authentication. Navigate to the global configuration mode. This configures a
LDAP server with IP 10.11.12.13 with port 636.
SLX (config)# ldap-server host 10.11.12.13 use-vrf mgmt-vrf
SLX (config)# port 636
-
Enable LDAP security.
-
Configure AAA globally.
SLX(config)# aaa authentication login ldap local-auth-fallback
Example
The following example shows the complete configuration of LDAP
server for Mutual Authentication.
SLX # configure terminal
SLX(config)#
SLX(config)# ldap-server host 10.11.12.13 use-vrf mgmt-vrf
SLX(config)# port 636
SLX(config)# ldaps
SLX(config)# basedn myfedcert.local
SLX(config)# aaa authentication login ldap local-auth-fallback
SLX(config)# aaa accounting exec default start-stop none
SLX(config)# aaa accounting commands default start-stop none
SLX(config)# aaa authorization command none
