https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290131#M565425 <P>Hello community</P><P>&nbsp;</P><P>I'm currently preparing a migration from ACS to ISE 3.0. We use ACS as TACACS service for all our switches and we have local user accounts. Because of security recommendations I'd like to move away from local accounts to AD authentication. However, our AD accounts are some random numbers and all our device admins are used to authenticate with a very simple 2-letter acronym of their name. We cannot make any changes to AD as this is managed by a whole other team.</P><P>&nbsp;</P><P>My question thus is, can we somehow map an alias to an AD-account name in ISE? For example, a device admin named Steve Johnson, logs in with credential SJ, but his AD account is T1598863.</P><P>&nbsp;</P><P>Thanks</P> Thu, 11 Feb 2021 14:24:54 GMT daan.celie 2021-02-11T14:24:54Z https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290131#M565425 <P>Hello community</P><P>&nbsp;</P><P>I'm currently preparing a migration from ACS to ISE 3.0. We use ACS as TACACS service for all our switches and we have local user accounts. Because of security recommendations I'd like to move away from local accounts to AD authentication. However, our AD accounts are some random numbers and all our device admins are used to authenticate with a very simple 2-letter acronym of their name. We cannot make any changes to AD as this is managed by a whole other team.</P><P>&nbsp;</P><P>My question thus is, can we somehow map an alias to an AD-account name in ISE? For example, a device admin named Steve Johnson, logs in with credential SJ, but his AD account is T1598863.</P><P>&nbsp;</P><P>Thanks</P> Thu, 11 Feb 2021 14:24:54 GMT https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290131#M565425 daan.celie 2021-02-11T14:24:54Z https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290191#M565430 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<U><EM>&gt;I'd like to move away from local accounts to AD authentication</EM></U></P> <P>&nbsp;In case of network lockups it may be desirable to keep a local account available too on a switch.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<U><EM> &nbsp; &gt;can we somehow map an alias to an AD-account name in ISE</EM></U></P> <P>&nbsp;- I doubt this can be done, but even it could. Remember ISE is a corner-stone of your Intranet security environment. Good integration or communication with the AD-admin group is therefore strongly recommended.</P> <P>&nbsp;M.</P> Thu, 11 Feb 2021 15:44:29 GMT https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290191#M565430 Mark Elsen 2021-02-11T15:44:29Z https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290930#M565449 <P>Not really what it's meant for but I used identity rewrite to achieve this. It's only 10 people or so that manage the switches on a daily basis so it's manageable with identity rewrite.</P> Fri, 12 Feb 2021 18:07:32 GMT https://community.cisco.com/t5/network-access-control/tacacs-ad-authentication-with-alias/m-p/4290930#M565449 daan.celie 2021-02-12T18:07:32Z