https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740336#M420551 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You only need to configure following :</P><P></P><P>- Make sure that you have a Remote Agent installed so that your ACS appliance can talk to AD. Beware, Remote Agent version should be exactly the same, as the version of ACS software that you have on your appliance.</P><P></P><P>- Then you need to configure Group mapping, if you need users discovered from AD to map to a particular group on ACS.</P><P></P><P>Else, if you don't, all the AD users will be mapped to Default Group on ACS.</P><P></P><P>- Configure the group the way you want.</P><P></P><P>Useful links:</P><P>Installation/configuration instructions for Remote Agent(they come in 2 flavors, Solaris, Windows):</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm</A></P><P></P><P>Windows Database:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp353636" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp353636</A></P><P></P><P>Group Mapping:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/grpmap.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/grpmap.htm</A></P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Mon, 04 Jun 2007 11:53:42 GMT Premdeep Banga 2007-06-04T11:53:42Z https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740334#M420549 <P>Hi all,</P><P></P><P>The scenario as following, I have ASA, ACS appliance v4.1 and Active directory, all the users credentials located on AD and I?m willing to configure the ACS (radius) to manage and restrict the access to internet, I did it successfully in case the credentials created on the ACS's local database but practically all my users accounts created on the AD and I need to find away to group the users on ACS and keep the accounts on AD.</P><P></P><P>Is it possible!!</P><P></P><P>Regards,</P><P></P> Sun, 10 Mar 2019 22:11:23 GMT https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740334#M420549 balsheikh 2019-03-10T22:11:23Z https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740335#M420550 <HTML><HEAD></HEAD><BODY><P>Yes is possible. You have your active directory groups map to ACS groups. You'll need to migrate all of your permissions to the group level since user permissions override group settings. You'll also need to (IMHO) migrate your local users from static on the server to dynamic populated from Active Directory. Be aware that the order in which your groups are listed in ACS matters in AAA, the first match a rule hits is the one it uses.</P></BODY></HTML> Mon, 04 Jun 2007 10:05:13 GMT https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740335#M420550 akemp 2007-06-04T10:05:13Z https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740336#M420551 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You only need to configure following :</P><P></P><P>- Make sure that you have a Remote Agent installed so that your ACS appliance can talk to AD. Beware, Remote Agent version should be exactly the same, as the version of ACS software that you have on your appliance.</P><P></P><P>- Then you need to configure Group mapping, if you need users discovered from AD to map to a particular group on ACS.</P><P></P><P>Else, if you don't, all the AD users will be mapped to Default Group on ACS.</P><P></P><P>- Configure the group the way you want.</P><P></P><P>Useful links:</P><P>Installation/configuration instructions for Remote Agent(they come in 2 flavors, Solaris, Windows):</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm</A></P><P></P><P>Windows Database:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp353636" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp353636</A></P><P></P><P>Group Mapping:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/grpmap.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/grpmap.htm</A></P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Mon, 04 Jun 2007 11:53:42 GMT https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740336#M420551 Premdeep Banga 2007-06-04T11:53:42Z https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740337#M420552 <HTML><HEAD></HEAD><BODY><P></P><P>Hi Prem,</P><P></P><P>Many thx for your support, I wasted time trying to configure group mapping using LDAP but I found it wasn't supported. I used the windows DB with remote agent and task acomplished successfully.</P><P></P><P>Regards,</P><P>Belal </P></BODY></HTML> Sat, 09 Jun 2007 13:58:08 GMT https://community.cisco.com/t5/network-access-control/radius-and-ad-issue/m-p/740337#M420552 balsheikh 2007-06-09T13:58:08Z