Re: Cisco ACS Help

Discussion in 'Cisco' started by webnetwiz, Jun 17, 2006.

  1. webnetwiz

    webnetwiz Guest

    What version of ACS are you running? You may want to see if you can set up 2 separate groups of network devices, and see if you can authenticate one network group against one domain, and the second group against the other domain


    -----------------------------------------------------------------------------------------
    I don't think this can be done. You authenticate the users against a
    database Windows/Ciscosecure to give access to devices. The devices
    don't care where the user autheticates. You can create two groups of
    users (one for each domaiin) and configure the devices to authenticathe
    against those groups.

    Rgds,

    Robert B. Phillips, II wrote:
    > I am new to ACS so my apologies if this is a n00b question or in the
    > documentation, I have viewed the documented but I am not finding how
    > to accomplish what I am trying to accomplish.
    >
    > I have setup Cisco ACS to authenticate to the external Windows
    > database (Active Directory). I have two domains, Domain A and Domain
    > B. I have domain mappings setup to point ACS to each of the domains
    > and the NT group within each domain with the user accounts I want to
    > authenticate. I want to have some of our network devices to
    > authenticate ONLY against Domain A and some of our network devices to
    > authenticate ONLY against Domain B. I am not certain how to "segment"
    > the network devices in ACS so that they only authenticate against the
    > chosen domain. Right now all devices authenticate against either
    > domain mapping. What is the best way of going about implementing this
    > "segmentation"?
    >
    > We are on ACS version 4.0. The network devices right now are only
    > Lantronix SCS100 console servers attached to Cisco 1751-V routers. In
    > the future we will have other network devices authenticate here and
    > will have VPN connections terminated on our ASAs authenticate here as
    > well.
    >
    > Thanks.
    > Robert Phillips, CCNA





    --------------= Posted using GrabIt =----------------
    ------= Binary Usenet downloading made easy =---------
    -= Get GrabIt for free from http://www.shemes.com/ =-
     
    webnetwiz, Jun 17, 2006
    #1
    1. Advertising

  2. I am on ACS version 4.0 - I have setup domain mappings and have bound
    those to an ACS group, I just can;t figure out how to force a specific
    device to authenticate only against a specific ACS group. Is this
    possible? If so how?

    On Fri, 16 Jun 2006 18:08:24 -0700, "webnetwiz"
    <> wrote:

    >What version of ACS are you running? You may want to see if you can set up 2 separate groups of network devices, and see if you can authenticate one network group against one domain, and the second group against the other domain
    >
    >
    >-----------------------------------------------------------------------------------------
    >I don't think this can be done. You authenticate the users against a
    >database Windows/Ciscosecure to give access to devices. The devices
    >don't care where the user autheticates. You can create two groups of
    >users (one for each domaiin) and configure the devices to authenticathe
    >against those groups.
    >
    >Rgds,
    >
    >Robert B. Phillips, II wrote:
    >> I am new to ACS so my apologies if this is a n00b question or in the
    >> documentation, I have viewed the documented but I am not finding how
    >> to accomplish what I am trying to accomplish.
    >>
    >> I have setup Cisco ACS to authenticate to the external Windows
    >> database (Active Directory). I have two domains, Domain A and Domain
    >> B. I have domain mappings setup to point ACS to each of the domains
    >> and the NT group within each domain with the user accounts I want to
    >> authenticate. I want to have some of our network devices to
    >> authenticate ONLY against Domain A and some of our network devices to
    >> authenticate ONLY against Domain B. I am not certain how to "segment"
    >> the network devices in ACS so that they only authenticate against the
    >> chosen domain. Right now all devices authenticate against either
    >> domain mapping. What is the best way of going about implementing this
    >> "segmentation"?
    >>
    >> We are on ACS version 4.0. The network devices right now are only
    >> Lantronix SCS100 console servers attached to Cisco 1751-V routers. In
    >> the future we will have other network devices authenticate here and
    >> will have VPN connections terminated on our ASAs authenticate here as
    >> well.
    >>
    >> Thanks.
    >> Robert Phillips, CCNA

    >
    >
    >
    >
    >--------------= Posted using GrabIt =----------------
    >------= Binary Usenet downloading made easy =---------
    >-= Get GrabIt for free from http://www.shemes.com/ =-
     
    Robert B. Phillips, II, Jun 19, 2006
    #2
    1. Advertising

  3. webnetwiz

    thrill5 Guest

    If the userids are different, than a group-mapping will be sufficient. If
    you have a single userid that exists in domain A and domain B, and want
    device A to only authenticate to Domain A, and Device B to authenticate only
    Domain B, then you need to setup two different ACS servers. One for device
    A, configured only to talk to domain a, one for device b to authenticate
    only to domain B.

    Scott

    "Robert B. Phillips, II" <> wrote in message
    news:...
    >I am on ACS version 4.0 - I have setup domain mappings and have bound
    > those to an ACS group, I just can;t figure out how to force a specific
    > device to authenticate only against a specific ACS group. Is this
    > possible? If so how?
    >
    > On Fri, 16 Jun 2006 18:08:24 -0700, "webnetwiz"
    > <> wrote:
    >
    >>What version of ACS are you running? You may want to see if you can set up
    >>2 separate groups of network devices, and see if you can authenticate one
    >>network group against one domain, and the second group against the other
    >>domain
    >>
    >>
    >>-----------------------------------------------------------------------------------------
    >>I don't think this can be done. You authenticate the users against a
    >>database Windows/Ciscosecure to give access to devices. The devices
    >>don't care where the user autheticates. You can create two groups of
    >>users (one for each domaiin) and configure the devices to authenticathe
    >>against those groups.
    >>
    >>Rgds,
    >>
    >>Robert B. Phillips, II wrote:
    >>> I am new to ACS so my apologies if this is a n00b question or in the
    >>> documentation, I have viewed the documented but I am not finding how
    >>> to accomplish what I am trying to accomplish.
    >>>
    >>> I have setup Cisco ACS to authenticate to the external Windows
    >>> database (Active Directory). I have two domains, Domain A and Domain
    >>> B. I have domain mappings setup to point ACS to each of the domains
    >>> and the NT group within each domain with the user accounts I want to
    >>> authenticate. I want to have some of our network devices to
    >>> authenticate ONLY against Domain A and some of our network devices to
    >>> authenticate ONLY against Domain B. I am not certain how to "segment"
    >>> the network devices in ACS so that they only authenticate against the
    >>> chosen domain. Right now all devices authenticate against either
    >>> domain mapping. What is the best way of going about implementing this
    >>> "segmentation"?
    >>>
    >>> We are on ACS version 4.0. The network devices right now are only
    >>> Lantronix SCS100 console servers attached to Cisco 1751-V routers. In
    >>> the future we will have other network devices authenticate here and
    >>> will have VPN connections terminated on our ASAs authenticate here as
    >>> well.
    >>>
    >>> Thanks.
    >>> Robert Phillips, CCNA

    >>
    >>
    >>
    >>
    >>--------------= Posted using GrabIt =----------------
    >>------= Binary Usenet downloading made easy =---------
    >>-= Get GrabIt for free from http://www.shemes.com/ =-
     
    thrill5, Jun 20, 2006
    #3
  4. What I was hoping was that there was a way to force certain devices to
    authenticate against ACS Group 0 and others against ACS Group 1. It's
    those ACS groups that link to the domain-mappings. There is no way to
    force a device to use one ACS group over another for authentication?
    Also, can this be accomplished via a NAR (i.e. by creating two groups
    of devices and filtering one group or the other via NAR)?

    Yes userids are in someway the same between Domain A and Domain B. But
    whether they are the same or not, the requirement is that certain
    devices authenticate against Domain A regardless of userid, while
    other authenticate against Domain B.

    On Mon, 19 Jun 2006 23:57:36 -0400, "thrill5" <>
    wrote:

    >If the userids are different, than a group-mapping will be sufficient. If
    >you have a single userid that exists in domain A and domain B, and want
    >device A to only authenticate to Domain A, and Device B to authenticate only
    >Domain B, then you need to setup two different ACS servers. One for device
    >A, configured only to talk to domain a, one for device b to authenticate
    >only to domain B.
    >
    >Scott
    >
    >"Robert B. Phillips, II" <> wrote in message
    >news:...
    >>I am on ACS version 4.0 - I have setup domain mappings and have bound
    >> those to an ACS group, I just can;t figure out how to force a specific
    >> device to authenticate only against a specific ACS group. Is this
    >> possible? If so how?
    >>
    >> On Fri, 16 Jun 2006 18:08:24 -0700, "webnetwiz"
    >> <> wrote:
    >>
    >>>What version of ACS are you running? You may want to see if you can set up
    >>>2 separate groups of network devices, and see if you can authenticate one
    >>>network group against one domain, and the second group against the other
    >>>domain
    >>>
    >>>
    >>>-----------------------------------------------------------------------------------------
    >>>I don't think this can be done. You authenticate the users against a
    >>>database Windows/Ciscosecure to give access to devices. The devices
    >>>don't care where the user autheticates. You can create two groups of
    >>>users (one for each domaiin) and configure the devices to authenticathe
    >>>against those groups.
    >>>
    >>>Rgds,
    >>>
    >>>Robert B. Phillips, II wrote:
    >>>> I am new to ACS so my apologies if this is a n00b question or in the
    >>>> documentation, I have viewed the documented but I am not finding how
    >>>> to accomplish what I am trying to accomplish.
    >>>>
    >>>> I have setup Cisco ACS to authenticate to the external Windows
    >>>> database (Active Directory). I have two domains, Domain A and Domain
    >>>> B. I have domain mappings setup to point ACS to each of the domains
    >>>> and the NT group within each domain with the user accounts I want to
    >>>> authenticate. I want to have some of our network devices to
    >>>> authenticate ONLY against Domain A and some of our network devices to
    >>>> authenticate ONLY against Domain B. I am not certain how to "segment"
    >>>> the network devices in ACS so that they only authenticate against the
    >>>> chosen domain. Right now all devices authenticate against either
    >>>> domain mapping. What is the best way of going about implementing this
    >>>> "segmentation"?
    >>>>
    >>>> We are on ACS version 4.0. The network devices right now are only
    >>>> Lantronix SCS100 console servers attached to Cisco 1751-V routers. In
    >>>> the future we will have other network devices authenticate here and
    >>>> will have VPN connections terminated on our ASAs authenticate here as
    >>>> well.
    >>>>
    >>>> Thanks.
    >>>> Robert Phillips, CCNA
    >>>
    >>>
    >>>
    >>>
    >>>--------------= Posted using GrabIt =----------------
    >>>------= Binary Usenet downloading made easy =---------
    >>>-= Get GrabIt for free from http://www.shemes.com/ =-

    >
     
    Robert B. Phillips, II, Jun 20, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shireen
    Replies:
    0
    Views:
    2,368
    Shireen
    Sep 10, 2003
  2. Thomas Kuborn
    Replies:
    0
    Views:
    540
    Thomas Kuborn
    Oct 15, 2003
  3. Silvio Arcangeli
    Replies:
    0
    Views:
    2,465
    Silvio Arcangeli
    Oct 20, 2003
  4. Robert B. Phillips, II

    Cisco ACS Help

    Robert B. Phillips, II, Jun 16, 2006, in forum: Cisco
    Replies:
    2
    Views:
    550
    Robert B. Phillips, II
    Jun 19, 2006
  5. Sakirana Karabudak

    Cannot login from ACS Admin -Cisco ACS 3.1

    Sakirana Karabudak, Dec 14, 2009, in forum: Cisco
    Replies:
    5
    Views:
    2,970
    Chino
    Dec 16, 2009
Loading...

Share This Page