https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985748#M202262 <HTML><HEAD></HEAD><BODY><P>Yes you should have user on internal database and on AD too and then select user to check password against any configured database.</P><P></P><P>Create an attribute "ACS-RESERVED-Authen-ID-Store" with String type under System Administration &gt; configuration &gt; Dictionaries &gt; Identity&gt; Internal Users". and Set this attribute's corresponding value in the internal user "User1" as AD1.</P><P></P><P>Set the identity store as Internal users in Access Policies. </P><P></P><P>You can then edit the user in the internal databse as per your requirement.</P><P></P><P>Regards,</P><P>Jatin</P><P></P><P></P><P>Do rate helpful posts-</P></BODY></HTML> Sat, 16 Jun 2012 01:51:21 GMT Jatin Katyal 2012-06-16T01:51:21Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985741#M202175 <P>Hi guys, we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only),&nbsp; so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how.</P><P></P><P> Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?</P><P></P><P></P><P>Thanks for your help!!!</P><P></P><P>Best Regards</P><P>Oscar</P> Mon, 11 Mar 2019 02:12:18 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985741#M202175 ochalmers 2019-03-11T02:12:18Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985742#M202185 <HTML><HEAD></HEAD><BODY><P>Select<STRONG> Policy Elements &gt; Authorization and Permissions</STRONG> &gt; <STRONG>Device Administration &gt; Shell Profiles</STRONG> then edit the shell profile and choose Not in use for privilege level there.</P><P></P><P>Submit the changes and try again.</P></BODY></HTML> Fri, 15 Jun 2012 23:42:53 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985742#M202185 Jatin Katyal 2012-06-15T23:42:53Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985743#M202199 <HTML><HEAD></HEAD><BODY><P>Hi Katyal, the normal user (Not Administrators or Operartors) are falling in the permit acces shell profile and i can not modify it.</P><P></P><P>Any ideas.</P></BODY></HTML> Sat, 16 Jun 2012 00:10:47 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985743#M202199 ochalmers 2012-06-16T00:10:47Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985744#M202211 <HTML><HEAD></HEAD><BODY><P>yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin &gt;&gt; authorization profile &gt;&gt; edit it and make changes.</P><P></P><P>Hope this helps.</P></BODY></HTML> Sat, 16 Jun 2012 00:14:32 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985744#M202211 Jatin Katyal 2012-06-16T00:14:32Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985745#M202224 <HTML><HEAD></HEAD><BODY><P>Normal users are still falling in&nbsp; permit acces shell profile, i think it is because all user match the "Identity Policy Matched Rule" which matches "protocol tacacs" i've tried to find an attribute to make a difference like the groups that we configured in the AD, but i still haven't found it.</P><P></P><P>Now i modified the identity rule and&nbsp; adding a compound condition "system username" and it works, but i have to include every administrator and opertator, do you think there is an easy way to accomplish this?</P></BODY></HTML> Sat, 16 Jun 2012 00:56:11 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985745#M202224 ochalmers 2012-06-16T00:56:11Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985746#M202241 <HTML><HEAD></HEAD><BODY><P>You can categorise using internal groups since devices and protocol are same in both the cases.</P><P></P><P>Regards,</P><P>Jatin</P></BODY></HTML> Sat, 16 Jun 2012 01:15:24 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985746#M202241 Jatin Katyal 2012-06-16T01:15:24Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985747#M202245 <HTML><HEAD></HEAD><BODY><P>Now it's working as expected.</P><P></P><P> One last question, is it possible that users from a same group could be authenticated using AD and others using acs internal database, i mean we could choose authentication method at user level?</P><P></P><P>Thank you so much for your help.</P><P>Regards,</P><P>Oscar </P></BODY></HTML> Sat, 16 Jun 2012 01:38:17 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985747#M202245 ochalmers 2012-06-16T01:38:17Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985748#M202262 <HTML><HEAD></HEAD><BODY><P>Yes you should have user on internal database and on AD too and then select user to check password against any configured database.</P><P></P><P>Create an attribute "ACS-RESERVED-Authen-ID-Store" with String type under System Administration &gt; configuration &gt; Dictionaries &gt; Identity&gt; Internal Users". and Set this attribute's corresponding value in the internal user "User1" as AD1.</P><P></P><P>Set the identity store as Internal users in Access Policies. </P><P></P><P>You can then edit the user in the internal databse as per your requirement.</P><P></P><P>Regards,</P><P>Jatin</P><P></P><P></P><P>Do rate helpful posts-</P></BODY></HTML> Sat, 16 Jun 2012 01:51:21 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985748#M202262 Jatin Katyal 2012-06-16T01:51:21Z https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985749#M202302 <HTML><HEAD></HEAD><BODY><P>In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.</P><P></P><P>CSCtk32683&nbsp;&nbsp;&nbsp; Authenticate internal DB user on external identity store</P><P></P><P></P><P>Regards,</P><P>Jatin</P><P></P><P>Do rate helpful posts-</P></BODY></HTML> Sat, 16 Jun 2012 02:13:51 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-using-active-directory-to-manage-network-device-admin/m-p/1985749#M202302 Jatin Katyal 2012-06-16T02:13:51Z