ACS 5.5 unable to use AD Groups for Identity Access Policy

mkmead · ‎08-06-2014

I am working on setting up a new ACS 5.5. server and we are trying to move to having Active Directory be our authentication/Identity portion of our device management.

I have noticed that the only choice under the "Access Policies/Access Services/Default Device Admin/Identity" is AD1, I can not pick my AD groups, I have set-up already.

I can choose my AD groups under the "Authorization" rules. This is where the enable password comes in as far as I can tell.

This is causing me a big problem, that is when I login to my test router, as long as I use any (active) AD account I can login to my router with only level 1 access, because as far as identity checks go my AD account has a good username and password. I then have to go into Enable mode and enter in my AD password again to get level 15 access. This to me is a big security issue.

My concern is that I don't want any AD user able to even pass the initial Login and password unless you are part of a certain AD group. From what I can see this isn't possible.

Any suggestions on how I can solve this?

hdussa · ‎08-06-2014

Hi,

i guess ACs is joined and connected to AD.

First of all you need to select the groups under Users and Identity Stores/External Identity Stores/Active Directory.

Then go to Access Policies Access Policies/Access Services/Default Network Access/Authorization.

Click "customize" and select "Compound Conditions".

Click Create to generate a new Rule.

Select Compound Conditions.

Dictionary = AD-AD1

Attribute = External Groups

Operator = contains all

Value = Click Select and you will see all Groups, which are in AD

Regard Horst

mkmead · ‎08-07-2014

Thats already been done. AD works fine. The issue is that any user with a good username and password can still login to my router using a AD account. They shouldn't be able to do that at all.

mohanak · ‎08-07-2014

Selecting an AD Group

Use this page to select groups that can then be available for policy conditions.

NoteTo select groups and attributes from an AD, ACS must be connected to that AD. To select groups and attributes from an AD, ACS must be connected to that AD.

Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory , then click the Directory Groups tab.

The Groups page appears. The Selected Directory Groups field lists the AD groups you selected and saved. The AD groups you selected in the External User Groups page are listed and can be available as options in group mapping conditions in rule tables.

If you have more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow down your search results. You can also add a new AD group using the Add button.

Note ACS 5.5 does not retrieve domain local groups. It is not recommended to use domain local groups in ACS policies. The reason is that the membership evaluation in domain local groups can be time consuming. So, by default, the domain local groups are not evaluated.

Step 2 Click Select to see the available AD groups on the domain (and other trusted domains in the same forest).

The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest.

If you have more groups that are not displayed, use the search filter to refine your search and click Go

Step 3 Enter the AD groups or select them from the list, then click OK .

To remove an AD group from the list, click an AD group, then click Deselect .

Step 4 Click:

- Save Changes to save the configuration.
NoteWhen configuring the AD Identity Store on ACS 5.x, the security groups defined on Active Directory are enumerated and can be used, but distribution groups are not shown. Active Directory Distribution groups are not security-enabled and can only be used with e-mail applications to send e-mail to collections of users. Please refer to Microsoft documentation for more information on distribution groups. When configuring the AD Identity Store on ACS 5.x, the security groups defined on Active Directory are enumerated and can be used, but distribution groups are not shown. Active Directory Distribution groups are not security-enabled and can only be used with e-mail applications to send e-mail to collections of users. Please refer to Microsoft documentation for more information on distribution groups.
NoteLogon authentication may fail on Active Directory when ACS tries to authenticate users who belong to more than 1015 groups in external identity stores. This is due to the Local Security Authentication (LSA) limitations in Active Directory. Logon authentication may fail on Active Directory when ACS tries to authenticate users who belong to more than 1015 groups in external identity stores. This is due to the Local Security Authentication (LSA) limitations in Active Directory.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/users_id_stores.html#pgfId-1139753

mkmead · ‎08-07-2014

Again, the issue is not that AD integrations are not working. AD is working fine and I can add groups and use them as the conditional statement in my Authorization rule set.

The issue is that even with that rule properly set. Any user who is or is not in that group I have assigned can still telnet into a router using a AD username and password. They just can not get past level 1 access.

I don't want this to happen at all. They should get a login failure.

The only people who should be allowed to login are people who are in the AD group I have defined as allowed to login.

mkmead · ‎08-07-2014

I figured it out finally this morning.. you have to edit the default rule at the bottom of the Authorization rules screen. There is no implicit deny all.. its actually configured to default to "Permit"

I edited it to "DenyAccess" and now its working properly.