AFAIK, you have to use

clausonna · ‎04-23-2015

I'm running ACS 5.5. I have end-users logging in from ASA VPN or Wireless Lan Controllers that hit ACS via RADIUS for authentication. ACS is joined to my Active Dreictory domain to actually authenticate/authorize the end-user connection.

Everything works great, but I want to restrict access to users who are in a specific AD OU. I can't use the Users and Identity Stores -> External Identity Stores -> Active Directory Groups solution because there isn't an AD group for "All users". I can't use "Domain Users" because that includes service accounts (which are NOT in the User OU). Service accounts are specifically what I'm trying to prohibit from VPN / Wireless access.

Creating an "All Users" AD group is going to be a long and somewhat painful process due to our IAM solution.

Any help would be greatly appreciated.

cybrsage · ‎04-23-2015

Create a security group called something like "ACS Users" and add the users you want access to this security group. Users can be a part of many security groups, so it will not break anything. Then you will select this group in your AD Groups in ACS.

If this works for you, do not forget to rate!

clausonna · ‎04-23-2015

Thank you for your fast response - but you failed to answer my specific question. I -know- I can create an AD group to be used by ACS for authentication. I want/need to use just an AD OU (organizational unit). I have 5000+ users and a fairly complex Identity Access Management solution. Adding everyone to an "All Users" AD group is far more difficult than just having ACS restrict access based on what OU the user's account is in. There has to be a way to do this!

Atta ullah Meer · ‎03-30-2017

hi Clausonna,

I am looking for similar solution. are you able to find something for yourself ?

cybrsage · ‎03-30-2017

AFAIK, you have to use security groups.

ACS end-user authentication to Active Drirectory OU