cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1465
Views
0
Helpful
4
Replies

acs 5.1 and external (AD) database

ighoisgreat
Level 1
Level 1

Good day all,

I have configured the acs box properly with all the command sets, shell profiles and authorization rules. Local authorization works well but I am now trying to use the AD to authenticate. I have joined the domain.

When I try to log into the devices now, it does not work using my domain user ID's. but when I specify the following

condition - AD1:UserPrincipalName, shell profile and assign a command set it works. My problem is that I don't want to create a rule per user (as it is required if i user :condition - AD1:UserPrincipalName) neither do I want to apply the rule to the groups in AD.

Can I mapp the AD groups to the Local groups?

OR

can I apply the rule using the object : AD1:memberOf  with the "CONTAIN" option? When I try this, it does not work. (I.e AD1:memberOf : contain (CN=marketing)

Are there any documentation that clearly explain the steps for configuring external database?

I have looked at most Cisco documentation on this but I don't mind, I would still go through any one you recommend.

Regards to all.

Thanks alot.

4 Replies 4

burnsidestev
Level 1
Level 1

I think I understand your question.

If you have the users defined in a group in AD, you can map that group in ACS and then use it in an Authorization profile.

For example, specific users we want to allow to connect thru our access points.

Under External Identity Store -> Active Directory, on the 2nd tab (Directory Groups) chose select. then you can search for the group you are wanting to be able to map to.

Under Access Policies, chose the appropriate Access service policy.  Set the Identity to AD.  Under authorization, click the customize button and AD:External Groups.  Now when you create the rule, you can have it Permit Access for the specific group.  Change the "default" for the Authorization to deny all.  That will allow people matching that rule access and deny others that meat just the AD member requirement.

Thank you so much for your reply. I have tried this but it does not work.

This is what I did :

I followed you step and selected both AD1:External Groups and AD1:member when I customized the authorization menu. The issue is that My organisation did not group each user by department but rather by some other methods so you could have a user in one department in a different AD group but in the Attribute tab of External user database, I have selected the "member of" option so I could use this as all users are well grouped here.

When configuring access policies, i try to use this field. I choose the "AD1:member off" attribute and select the "contain" option and fill the space with something like this

network team

exactly the way it is in AD.

when I try to authenticate, it does not.

When i select the AD1:userPrincipalName attribute and fill in the name, it works and applies the exact policies.

any ideas?

thanks a lot.

When you set up Active Directory under External Identity Stores, did you go to the Directory Groups tab and add your AD OU's?

Like the your.domain.com/Builtin/Users group?

I don't think you are supposed to type in anything manually when setting up Authorization in the policies, all should be selected from lists.

Yes,  as Dal said, you map them in the same identity store area you added AD:

Under External Identity Store -> Active Directory, on the 2nd tab  (Directory Groups) chose select. then you can search for the group you  are wanting to be able to map to.

Then in the Authorization profile, you only need to customize and add AD:external groups.

In the rule, you put a check mark in that selection and use the select button to chose the mapped group.