https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520889#M34649 <P>I wanted to know if Cisco ACS in any way extends the Microsoft Active Directory schema. I'm thinking not but co-workers want some sort of comfirmation. It's simply an authentication request that either gets accepted or rejected right?</P><P></P><P>Thanks for the input!</P><P></P><P>Sincerely,</P><P>Andrew Hanson</P> Sun, 04 Jul 2021 18:47:03 GMT Andrew.Hanson 2021-07-04T18:47:03Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520889#M34649 <P>I wanted to know if Cisco ACS in any way extends the Microsoft Active Directory schema. I'm thinking not but co-workers want some sort of comfirmation. It's simply an authentication request that either gets accepted or rejected right?</P><P></P><P>Thanks for the input!</P><P></P><P>Sincerely,</P><P>Andrew Hanson</P> Sun, 04 Jul 2021 18:47:03 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520889#M34649 Andrew.Hanson 2021-07-04T18:47:03Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520890#M34650 <HTML><HEAD></HEAD><BODY><P>Cisco ACS server will work with AD. You should not have any problem with this setup.</P><P></P></BODY></HTML> Tue, 21 Mar 2006 22:46:34 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520890#M34650 b.hsu 2006-03-21T22:46:34Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520891#M34651 <HTML><HEAD></HEAD><BODY><P>Yes you are right, ACS doesn´t extend MS AD in anyway. It only use AD to authenticate users, but ACS doesn´t have to do with MS AD for other reasons.</P><P></P><P>This apply for both ACS Appliance and ACS over MS Windows.</P><P></P></BODY></HTML> Thu, 23 Mar 2006 04:49:17 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520891#M34651 fbellom 2006-03-23T04:49:17Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520892#M34653 <HTML><HEAD></HEAD><BODY><P>Thanks all for the clarification!</P></BODY></HTML> Thu, 23 Mar 2006 16:22:58 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520892#M34653 Andrew.Hanson 2006-03-23T16:22:58Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520893#M34654 <HTML><HEAD></HEAD><BODY><P>ACS doesn't extend AD per se, but ACS does permit other options and functional extension . </P><P></P><P>For example, with AD, your auth options are PEAP and EAP-TLS. </P><P></P><P>With ACS, you get PEAP and EAP-TLS, but you also get LEAP and EAP-FAST ... which you may need for fast secure roaming. </P><P></P><P>There are others for both (common to both, i.e., MAC filtering) but I believe these would be the most common and desirable.</P><P></P><P>ACS also provides TACACS+, which can be handy for pushing parameters down to the client, applying scopes and other non-RADIUS functionality. </P><P></P><P>FWIW</P><P></P><P>Scott</P><P></P></BODY></HTML> Thu, 23 Mar 2006 21:38:30 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520893#M34654 scottmac 2006-03-23T21:38:30Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520894#M34657 <HTML><HEAD></HEAD><BODY><P>Thanks for the post Scott. However, AD isn't a RADIUS solution like ACS (or IAS) right? What you're really talking about is EAP methods that are supported, not neccessarily schema modifications within AD? So ACS does not NEED to create AD objects that are populated with attributes/properties that are integral to the EAP authentication method. I think thats right but please let me know if its not.</P><P></P><P>Cheers!</P><P></P><P>Drew</P></BODY></HTML> Fri, 24 Mar 2006 00:01:46 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520894#M34657 Andrew.Hanson 2006-03-24T00:01:46Z https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520895#M34658 <HTML><HEAD></HEAD><BODY><P>You are correct. </P><P></P><P>The combination of AD and IAS can provide some compatible auth methods. </P><P></P><P>ACS, either stand-alone or using the AD as an auth source can provide pretty much all of the available methods. </P><P></P><P>ACS doesn't need anything from the AD aside from the username / password for a MS-CHAP-v2 (usually inside an EAP system) and / or possibly MAC, maybe certificate info (the cert would usually go into the ACS software, even if it's running on the AD or the CA ...).</P><P></P><P>Basically, ACS hands the username/password to the AD, asks" Is this one of yours?", .... if the AD responds affirmatively, then ACS / RADIUS sends the "OK to pass" and opens up the connection.</P><P></P><P>Being that AD is LDAP-based, it's likely that you can, if you want, add other attributes to pass along to ACS, but it's not necessary. </P><P></P><P>Good Luck</P><P></P><P>Scott</P></BODY></HTML> Fri, 24 Mar 2006 18:58:30 GMT https://community.cisco.com/t5/wireless/acs-and-microsoft-ad/m-p/520895#M34658 scottmac 2006-03-24T18:58:30Z