Communication Flow
- The Cisco AD Connector first attempts to communicate to the AD domain controller over secure lightweight directory access protocol (LDAPS) on port 646. If unsuccessful, the Cisco AD Connector falls back to communicating over LDAP on port 389 using first Kerberos authentication and if that does not succeed, NTLM authentication (Windows NT LAN Manager) over LDAP.
- The Cisco AD Connector retrieves the AD Users, Groups, and Endpoint Devices details only. Secure Access stores these required attributes from each object:
-
cn—The common name. -
dn—The distinguished name. -
dNSHostName—The device name as it is registered in DNS. -
mail—Email addresses associated with the user. -
memberOf—The groups that include the user. -
objectGUID—The group ID of the object. This property is sent to Secure Access as a hash. -
primaryGroupId—The primary group ID that is available for Users and Groups. -
primaryGroupToken—The primary group token that is available only for Groups. Passwords or password hashes are not retrieved. Secure Access uses theprimaryGroupTokendata in the access policy and configuration and reporting. This data is also required for each user or per-computer filtering. -
sAMAccountName—The username that you use to sign into the Cisco AD Connector. -
userPrincipalName—The user's principal name.
If there are updates, the Cisco AD Connector sends the AD data every five minutes using an HTTPS connection on TCP port 443. However, it can take an hour or longer for changes to reflect in Secure Access.
-
- The Cisco AD Connector stores the AD User and Group data locally in .ldif files.
The local AD User and Groups data is contained within this folder:
C:\\Program Files (x86)\\Cisco\\CiscoADConnector\\ADSync.Review the files in the .ldif files in the ADSync directory to confirm that the Cisco AD Connector synchronized the AD Users and Groups data to Secure Access.
When you install the Cisco AD Connector, you have the option to turn off the local storage of.ldiffiles.
