ACS, PIX, and Internet access by AD Group

Discussion in 'Cisco' started by Daniel de Young, Jun 5, 2004.

  1. I'm about to start an evaluation of ACS 3.2.

    The primary roll of ACS will be to provide single sign on to the network
    devices. I figure that will be simple enough, I've just got to upgrade a
    few switch IOSs to get Radius compatible code.

    Secondarily, I'm trying to eliminate the need for a Microsoft ISA box that
    was deployed by my predecessor.

    I'm pretty sure I can move current VPN users over to a newly deployed VPN
    Concentrator and authenticate through ACS to AD.

    However, I'm wondering if I can control internet access based on AD group
    membership. If so, will ACS provide internet access reports in a similar
    fashion to ACS?

    If I can perform all 3 functions I can finally get rid of the ISA box and
    have a single Internet gateway and start fully utilizing the PIX.

    Anybody out there performing these functions successfully?

    Another thing that I'm worried about is if ACS just authenticates YES/NO,
    will users who are able to use VPN also be able to login into network
    devices?

    Thanks,

    -Daniel
    Daniel de Young, Jun 5, 2004
    #1
    1. Advertising

  2. Daniel de Young

    Brian V Guest

    Heya Daniel,

    ACS will NOT talk to AD, it must talk to an IAS server which in turn talks
    to AD. You can however import from AD but it will not carry over passwords.
    You can installed the web password changer for ACS and allow the users to
    change their passwords to the same as their domain password. I just went
    thru this for one of my customers...spent almost 2 weeks with it along with
    3 different TAC cases because I, like you, was under the impresion that ACS
    would talk to AD.

    Good luck,
    -Brian
    "Daniel de Young" <> wrote in message
    news:p...
    > I'm about to start an evaluation of ACS 3.2.
    >
    > The primary roll of ACS will be to provide single sign on to the network
    > devices. I figure that will be simple enough, I've just got to upgrade a
    > few switch IOSs to get Radius compatible code.
    >
    > Secondarily, I'm trying to eliminate the need for a Microsoft ISA box that
    > was deployed by my predecessor.
    >
    > I'm pretty sure I can move current VPN users over to a newly deployed VPN
    > Concentrator and authenticate through ACS to AD.
    >
    > However, I'm wondering if I can control internet access based on AD group
    > membership. If so, will ACS provide internet access reports in a similar
    > fashion to ACS?
    >
    > If I can perform all 3 functions I can finally get rid of the ISA box and
    > have a single Internet gateway and start fully utilizing the PIX.
    >
    > Anybody out there performing these functions successfully?
    >
    > Another thing that I'm worried about is if ACS just authenticates YES/NO,
    > will users who are able to use VPN also be able to login into network
    > devices?
    >
    > Thanks,
    >
    > -Daniel
    >
    >
    Brian V, Jun 6, 2004
    #2
    1. Advertising

  3. Hello, Brian!
    You wrote on Sat, 5 Jun 2004 20:07:56 -0400:

    BV> ACS will NOT talk to AD, it must talk to an IAS server which
    BV> in turn talks to AD. You can however import from AD but it
    BV> will not carry over passwords.
    BV> You can installed the web password changer for ACS and allow
    BV> the users to change their passwords to the same as their
    BV> domain password. I just went thru this for one of my
    BV> customers...spent almost 2 weeks with it along with 3
    BV> different TAC cases because I, like you, was under the
    BV> impresion that ACS would talk to AD.

    Well, I guess I did a miracle than because my ACS servers works just fine with
    Windows AD. Users can change their AD passwords and such. There is no users
    created in Secure Database, just an external database and some groups mapping is
    configured. ACS version is 3.2.2, but it was working before with 3.0 and 3.1
    If you have pure AD (vs. mixed mode) and ACS is installed on member server you
    need to check release notes for a proper configuration - ACS should run under
    domain user account with appropriate rights - "log on as a service" and "act as
    a part of OS".

    With best regards,
    Andrey.
    Andrey Tarasov, Jun 6, 2004
    #3
  4. Daniel de Young

    Brian V Guest

    "Andrey Tarasov" <> wrote in message
    news:c9tscr$29rp$...
    > Hello, Brian!
    > You wrote on Sat, 5 Jun 2004 20:07:56 -0400:
    >
    > BV> ACS will NOT talk to AD, it must talk to an IAS server which
    > BV> in turn talks to AD. You can however import from AD but it
    > BV> will not carry over passwords.
    > BV> You can installed the web password changer for ACS and allow
    > BV> the users to change their passwords to the same as their
    > BV> domain password. I just went thru this for one of my
    > BV> customers...spent almost 2 weeks with it along with 3
    > BV> different TAC cases because I, like you, was under the
    > BV> impresion that ACS would talk to AD.
    >
    > Well, I guess I did a miracle than because my ACS servers works just fine

    with
    > Windows AD. Users can change their AD passwords and such. There is no

    users
    > created in Secure Database, just an external database and some groups

    mapping is
    > configured. ACS version is 3.2.2, but it was working before with 3.0 and

    3.1
    > If you have pure AD (vs. mixed mode) and ACS is installed on member server

    you
    > need to check release notes for a proper configuration - ACS should run

    under
    > domain user account with appropriate rights - "log on as a service" and

    "act as
    > a part of OS".
    >
    > With best regards,
    > Andrey.



    Good morning Andrey,

    I am very interested in discussing this offline with you.

    According to Cisco it can't be done......Maybe I should try to clarify a
    couple things, perhaps I made an incorrect assumtion with the OP post and
    jumped the gun a bit.

    1, For telnet/enable authentication to a network device ACS to AD will work
    fine. Actually a very simple config. The username will then populate the ACS
    database via AD.
    2, This is where I may have assumed/read incorectly, hell I may even be
    completly off my rocker as I can't find the original post now....I believe
    the OP said for netwok access control, web privledges, etc. I took this to
    mean 802.1x authentication and vlan control. This is what Cisco is telling
    me cannot be done and I sure as heck couldn't get it to work! I tried with
    it installed directly on the DC, on a member server, even on my laptop! Only
    way it would work is using an IAS server.

    If you are using 802.1x what authentication are you using? EAP-MD5, MS PEAP,
    Smart card?

    Ping me offline as well as reply to the group if you wouldn't mind. I'm
    without a doubt interested in what you have to say and I'm sure there are
    several others here who are interested too!

    fl66 <at> comcast<dot>net

    Have a good one!
    -Brian
    Brian V, Jun 6, 2004
    #4
  5. Hello, Brian!
    You wrote on Sun, 6 Jun 2004 07:34:45 -0400:

    BV> If you are using 802.1x what authentication are you using?
    BV> EAP-MD5, MS PEAP,
    BV> Smart card?

    We are using 802.1x with LEAP authentication - that's for our wireless LAN. The
    same ACS servers also doing authentication for users on VPN concentrator. As for
    original e-mail, Daniel asked the following question -

    >> However, I'm wondering if I can control internet access based on AD
    >> group membership. If so, will ACS provide internet access reports in a
    >> similar fashion to ACS?


    Never dealt with IAS I have no idea what kind of internet access reports it's
    providing and how granular is access control. Nevertheless ACS can check AD
    group membership so I don't see a problem in general. Specific requirements may
    preclude though use of ACS in place of IAS.

    If you have any specific questions regard ACS - please, let me know and I'll try
    to answer them.

    With best regards,
    Andrey.
    Andrey Tarasov, Jun 6, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,622
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. J Bard
    Replies:
    2
    Views:
    4,004
    J Bard
    Jan 10, 2004
  3. jo
    Replies:
    0
    Views:
    450
  4. zillah via HWKB.com

    Access Point and CS ACS and AD configuration

    zillah via HWKB.com, Feb 6, 2007, in forum: Cisco
    Replies:
    0
    Views:
    517
    zillah via HWKB.com
    Feb 6, 2007
  5. Sakirana Karabudak

    Cannot login from ACS Admin -Cisco ACS 3.1

    Sakirana Karabudak, Dec 14, 2009, in forum: Cisco
    Replies:
    5
    Views:
    2,888
    Chino
    Dec 16, 2009
Loading...

Share This Page