Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
1
Replies

ACS authentication against AD

bberry
Level 1
Level 1

‎02-02-2011 09:57 AM - edited ‎03-10-2019 05:47 PM

I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.

First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?

I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?

Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?

I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.

brent

Labels:
0 Helpful
1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-02-2011 08:44 PM


If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.


Use this page to select groups that can then be available for policy condition,

Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.

For more information, you may visit the below listed URL
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999

Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.



In order to do dynamic vlan assignment on ACS 5.1 you do the following:

Policy elements >> Authorization  and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >>   Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >>  Click OK.



HTH

Regds,  Jatin



Do rate helpful posts~

~Jatin
0 Helpful
Customers Also Viewed These Support Documents