CiscoSecure ACS 3.3 and MS Active Directory ?

Discussion in 'Cisco' started by rasncain@gmail.com, Feb 23, 2005.

  1. Guest

    We just got and installed CiscoSecure ACS 3.3 on a domain controller
    for our MS active directory domain.

    ACS seems to work with AD in the sense that it uses the usernames and
    passwords contained in AD for users. However I noticed it does not seem
    to popluate ACS with the users, instead you have to go in to ACS and
    add each user with the username from AD, and then just tell it to use
    the windows database for password authentication.

    Is this correct or am I missing something in my setup that is
    preventing users from being populated in ACS?

    Also, can you not use AD groups for ACS permissions? For example one of
    the things we are doing is defining certain groups for access to
    routers, switches and firewall commands. I have been able to do this
    manually in ACS by defining a group and setting the permissions as well
    as the command authorization set. However it does not seem very
    practical to have to go in manually to ACS to add a user to an ACS
    group. I thought since ACS works with active directory it would also
    use AD groups. So we could assign a user to a group in AD and it would
    then utilize the defined ACS permissions for that group.

    Is this a poor assumption? Will we have to do things manually? What
    integration between ACS and MS Active Directory is there then, aside
    from simple password authentication?
     
    , Feb 23, 2005
    #1
    1. Advertising

  2. Hello, !
    You wrote on 23 Feb 2005 07:57:13 -0800:

    r> We just got and installed CiscoSecure ACS 3.3 on a domain
    r> controller for our MS active directory domain.

    r> ACS seems to work with AD in the sense that it uses the usernames
    r> and passwords contained in AD for users. However I noticed it does
    r> not seem to popluate ACS with the users, instead you have to go in
    r> to ACS and add each user with the username from AD, and then just
    r> tell it to use the windows database for password authentication.

    r> Is this correct or am I missing something in my setup that is
    r> preventing users from being populated in ACS?

    You are missing Unknown Policy. It's possible to make ACS to search in AD for
    unknown accounts and add them into specific ACS group.

    r> Also, can you not use AD groups for ACS permissions? For example
    r> one of the things we are doing is defining certain groups for
    r> access to routers, switches and firewall commands. I have been
    r> able to do this manually in ACS by defining a group and setting
    r> the permissions as well as the command authorization set. However
    r> it does not seem very practical to have to go in manually to ACS
    r> to add a user to an ACS group. I thought since ACS works with
    r> active directory it would also use AD groups. So we could assign a
    r> user to a group in AD and it would then utilize the defined ACS
    r> permissions for that group.

    It's possible, but keep in mind that ACS is not very flexible - it can't have
    the same user in multiple groups. Let say you have a user in group A and B in
    AD. They mapped to group A1 and B1 on ACS. With unknow policy in place user will
    end up in a first group in a list - either A1 or B1, but not in both.
    We are using ACS for authentication of wireless and VPN users and access to
    network devices. Since we wireless and VPN users pretty much the same, we are
    using single group. If it would be different populations, we would be forced to
    use realms.
    For network administration access I'm using a dirty trick - my account in
    wireless group has domain added to it. In network group it's just a user name.

    r> Is this a poor assumption? Will we have to do things manually?
    r> What integration between ACS and MS Active Directory is there
    r> then, aside from simple password authentication?

    ACS can check dial-in permissions, propagate password changes, check AD groups
    membership. You can deny access based on AD group membership.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Feb 23, 2005
    #2
    1. Advertising

  3. zillah

    Joined:
    Mar 23, 2006
    Messages:
    39
    I have got wireless and I want to use Cisco Secure ACS , to be authenticated through AD. I am sure this has got documentation, but I could not come up with anything on a search.



    Could you please point to the proper URL .



    Regards
     
    zillah, Feb 6, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alexals
    Replies:
    1
    Views:
    2,301
    dumptrash
    Aug 22, 2006
  2. Adam KOSA
    Replies:
    0
    Views:
    742
    Adam KOSA
    Jan 5, 2005
  3. Jeff
    Replies:
    0
    Views:
    500
  4. the_Muttster

    CiscoWorks and CiscoSecure ACS

    the_Muttster, Jan 24, 2006, in forum: Cisco
    Replies:
    0
    Views:
    417
    the_Muttster
    Jan 24, 2006
  5. Replies:
    2
    Views:
    1,780
    Martin Bilgrav
    Apr 23, 2007
Loading...

Share This Page