Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
0
Helpful
1
Replies

ACS 5.2 authentication against Microsoft AD, TACACS authorization against internal identity group membership?

kjgorman
Level 1
Level 1

‎05-13-2011 08:27 AM - edited ‎03-10-2019 06:04 PM

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization.  Anybody ever accomplished that?

Labels:
0 Helpful
1 Reply 1

jrabinow
Level 7
Level 7

‎05-13-2011 08:39 AM

I assume the same user definitions will exist both in AD and internal store

If so can achieve as follows:

- define an i]dentity sequence. Select Password Based authentication method and select AD in list of "Authentication and Attribute Retrieval Search List". Select "Internal Users" in list of 'Additional Attribute Retrieval Search List". Can also select the option "If internal user/host not found or disabled then exit sequence and treat as "User Not Found" to ensure that only users defined in the internal store get access

- Select the defined Identity Sequence as result in the Identity Policy for the TACACS+ service

This means that when TACACS+ request is received, authentication will be performed against AD. If that succeeds then attributes will be retrieved for the internal user and can be used in policy

0 Helpful
Customers Also Viewed These Support Documents