Showing results for 
Search instead for 
Did you mean: 

ACS end-user authentication to Active Drirectory OU

Level 3
Level 3

I'm running ACS 5.5.  I have end-users logging in from ASA VPN or Wireless Lan Controllers that hit ACS via RADIUS for authentication. ACS is joined to my Active Dreictory domain to actually authenticate/authorize the end-user connection. 

Everything works great, but I want to restrict access to users who are in a specific AD OU.  I can't use the Users and Identity Stores -> External Identity Stores -> Active Directory Groups solution because there isn't an AD group for "All users".  I can't use "Domain Users" because that includes service accounts (which are NOT in the User OU).  Service accounts are specifically what I'm trying to prohibit from VPN / Wireless access.

Creating an "All Users" AD group is going to be a long and somewhat painful process due to our IAM solution.

Any help would be greatly appreciated.




4 Replies 4

Level 1
Level 1

Create a security group called something like "ACS Users" and add the users you want access to this security group.  Users can be a part of many security groups, so it will not break anything.  Then you will select this group in your AD Groups in ACS.


If this works for you, do not forget to rate!

Thank you for your fast response - but you failed to answer my specific question.  I -know- I can create an AD group to be used by ACS for authentication.  I want/need to use just an AD OU (organizational unit).  I have 5000+ users and a fairly complex Identity Access Management solution.  Adding everyone to an "All Users" AD group is far more difficult than just having ACS restrict access based on what OU the user's account is in.  There has to be a way to do this!

hi Clausonna,

I am looking for similar solution. are you able to find something for yourself ?

AFAIK, you have to use security groups.