Today we will learn how to enable ldap authentication on Ironport. Cisco Email Security Appliance (Ironport) comes with local admin account for login but enterprises use central authentication sources instead of local. This provides better security posture and less password to remember.

  • These are some of the prerequisites :-
  • Existing Microsoft Active Directory Infra.
    • 1 Service Account for LDAP Authentication.
    • LDAP Profile in Ironport for connectivity between Ironport and Microsoft AD.
    • Security Groups in Active Directory.
    • Delete existing local accounts (admin account cannot be deleted).
  • Configuration Steps :-
    • Create a normal Service Account without any special permission, It’s password should be set to a complicated one and set not to expire.
    • Create Security Groups in Active Directory.
      • Examples of some group naming convention :-
        • IronportAdmin
        • IronportOperator
        • IronportSecurity
        • IronportReadOnly
      • Add users to respective security groups.
    • Create LDAP Profile if one doesn’t exist already.
      • Navigate to System Administration > LDAP
      • Click on ‘Add LDAP Server Profile’ and fill these info.LDAP Profile1
      • Click on ‘Test Servers’ to confirm successful connection.
    • Enable External Authentication Under LDAP Profile.
      • Make all parameters same as below, only keep Base DN as per your environment.
      • LDAP Profile_ExternalQuery
    • Assign Admin Roles to Security Group.
    • Navigate to System Administration > Users and make these changes.
      • Map Security Group to necessary Roles. You can have custom created roles in drop-down as well.3
    • Commit Changes.
    • You are now ready to login using your AD Credentials.
      • Type your user part in username and key-in your credentials.

Thank you for your valuable time, please post your suggestions & questions.