https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037777#M395985 <HTML><HEAD></HEAD><BODY><P>Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?</P></BODY></HTML> Thu, 07 Aug 2008 20:12:20 GMT danieldiaz 2008-08-07T20:12:20Z https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037775#M395983 <P>We are looking to have our cisco vpn client users authenticate to AD. We don't want to add the users in ACS but still point our ASA &gt; ACS &gt; AD. I.e, we don't want to add a new employee into ACS but still permit him to VPN (ACS)in and auth against AD. I know we can point ASA to IAS directly and bypass ACS.</P> Sun, 10 Mar 2019 23:01:15 GMT https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037775#M395983 danieldiaz 2019-03-10T23:01:15Z https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037776#M395984 <HTML><HEAD></HEAD><BODY><P>If you have acs using active directory database then user will always be in AD and not is acs.</P><P></P><P>ACS will do the authen lookup from AD.</P><P></P><P>VPN Client---&gt;VPN Server----&gt;ACS----&gt;AD.</P><P></P><P>In this set up no need to add user in acs.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts </P></BODY></HTML> Thu, 07 Aug 2008 18:12:03 GMT https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037776#M395984 Jagdeep Gambhir 2008-08-07T18:12:03Z https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037777#M395985 <HTML><HEAD></HEAD><BODY><P>Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?</P></BODY></HTML> Thu, 07 Aug 2008 20:12:20 GMT https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037777#M395985 danieldiaz 2008-08-07T20:12:20Z https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037778#M395986 <HTML><HEAD></HEAD><BODY><P>Look into the "Unknown User Policy" - ACS checks local database first, then follows the unknown user policy if the user doesn't exist locally.</P><P></P><P>For example - VPN-John Doe is an account in local ACS database and VPN-Joe Smith is an account in the (external) AD database.</P><P></P><P>Scenario 1: VPN-John Doe initiates a VPN connection - ACS challenges the user for username/password and looks locally, finds this user in its local database and authenticates or rejects the credentials supplied.</P><P></P><P>Scenario 2: VPN-Joe Smith initiates a VPN connection - ACS challenges the user for username/password and looks locally, does not find this account in its local database and follows the unknown user policy - if AD is your next defined external database, ACS will query AD for authentication or rejection.</P><P></P><P>Of course, that is a very simple explanation that leaves out per-user or per-group access restrictions that could differentiate between different users or different groups using NARs, Filters, etc.</P><P></P><P>HTH. </P></BODY></HTML> Thu, 07 Aug 2008 21:06:29 GMT https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037778#M395986 charrellc011699 2008-08-07T21:06:29Z https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037779#M395987 <HTML><HEAD></HEAD><BODY><P>Thank you so much, this is of great help. </P></BODY></HTML> Thu, 07 Aug 2008 21:10:26 GMT https://community.cisco.com/t5/network-access-control/acs-to-ad-authentication-w-out-adding-users-to-acs/m-p/1037779#M395987 danieldiaz 2008-08-07T21:10:26Z