Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1644
Views
0
Helpful
4
Replies

ACS 5.1 and active directory authentication

andreagentile71
Level 1
Level 1

‎02-08-2011 07:56 AM - edited ‎03-10-2019 05:48 PM

Hi experts,


i'm trying to accomplish the following:


People using wireless notebooks connects to a AP --> WLC4402, EAP-PEAP Mschapv2.
Nac infrastructure is in use, single sign on.
The ACS use an Active Directory External Identity Store.

People who should be able to connect should be part of only 2 active directory groups, so i configured:

Active directory store, specifing the 2 groups in "Directory Groups" tab

Policy Elements -- Custom -- an External Group condition

Policy Elements -- Authorization Profile - a custom auth profile to send a specific attribute radius attribute, let's call him AUTO

Access Policy -- Service Selection Rule - a rule to match Radius

Access Policy -- a policy where:

Identity - single result selection (the AD store)

Group mapping - a rule where i have a compound condition, with the 2 external groups, and the result is an identity group let's call him TEST

Authorization - where i have Identity group TEST, result AUTO


Now, from tests, ALL people beloging to the active directory can connect, where i want to restrict access to only 2 groups of this AD.
More, in the group mapping i dont have hit count increasing.
Also, my authorization AUTO does not have hit count, and i dont have the ACS sendind that radius attribute.


What i'm missing/doing wrong?

Thanks

Labels:
0 Helpful
4 Replies 4

andrewswanson
Level 7
Level 7

‎02-09-2011 02:39 PM

hello

try missing out the Group Mapping stage:

Access Policy -- a policy where:

Identity - single result selection (the AD store)

Authorization - a rule where i have a compound condition, with the 2 external groups, and the result is AUTO

Cisco doc states:

"In ACS 5.2, external group memberships are attributes that can be used directly when you create the network access policy. Hence, you do not have to use group mapping. "

hth

andy

0 Helpful

andreagentile71
Level 1
Level 1
In response to andrewswanson

‎02-10-2011 12:51 AM

Thanks Andy for your reply,

i already tried without group mapping, i have the same issues.

i think this can be related to the user used to connect to the Active Directory, who is a simple user

without the rights to add/delete computer objects in AD.

can this be the reason of the noncorrect behaviour?

Thanks

Andrea

0 Helpful

andrewswanson
Level 7
Level 7
In response to andreagentile71

‎02-10-2011 01:38 AM

hi andrea

under Users and Identity Stores > External Identity Stores > Active Directory, your AD Connectivity Status should be CONNECTED and you should see your AD groups listed on the Directory Groups tab.

if the AD  Connectivity Status is not connected, make sure you  have an NTP server configured for the ACS (you do this from the command line - not the gui). any skew in time between ACS and AD can cause problems.

last time i joined an ACS 5 to AD, i got the AD admins to prestage (manually add) the ACS in AD. the AD admins then supplied a service account that had delegated Create/Delete permissions for the OU that the ACS resided in.

hth

andy

0 Helpful

andreagentile71
Level 1
Level 1
In response to andrewswanson

‎02-10-2011 01:54 AM

The state of AD server is connected, if not the users should not be able to connect.

I'll follow your suggestions and i'll let you know.

Thanks

Andrea

0 Helpful
Customers Also Viewed These Support Documents