Solved: ACS with Active Directory Authentication based on AD Groups

BrunoVic · ‎02-27-2014

Good Morning

I am trying to integrate Cisco ACS 5.4.0.46 with AD and I have successfully linked the ACS to AD and I have successfully used AD as an authentication for network devices however my problem now is that anyone with an AD account can log into the network devices which compromises the security. I have created a group in AD that I would like to use and I have added the group under Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups. I've also selected Identity source for Default Device Admin as AD1 and under Authorization I have an Authorization Policy that uses a compound condition that uses AD1 and the custom group. However after setting all that I am still able to log onto the switch with a user not in the custom group. Based on what I've explained can anyone tell me if I am missing a step?

Thank you

Derek Velez

Jatin Katyal · ‎02-28-2014

Thanks for updating and closing the thread. The Default rule by-default set for deny access so that if the legimitate user doesn't match any rule defined by the ACS administration he should get deny access. In your case it was set to Permit so both type of users getting access (member and non-member of AD groups).

The best way to troubleshoot this kind of issues is to look at Monitoring and Troubleshooting > User attempt > Magnifying glass. There you will see how this user got permit access.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎02-27-2014

Hi Derek,

Could you please provide the scree shot of the compound condition you have created under Default Device Admin > authorization.

Did you check the passed authentication attempt to verify what rule the user got assigned?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

kaaftab · ‎02-28-2014

kindly check the following link for reference

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/policy_mod.html

BrunoVic · ‎02-28-2014

Hi Jatin

Thank you for your response. I am not at liberty to disclose sensitive information however I will use a pseudo form to illustrate what you are asking.

Under Default Device Admin > Authorization

Status = Green

Name = Rule1

Compound Condition = AD-AD1:ExternalGroups contains any example.com/Groups/GroupName

Shell Profile = Example1

Command Sets = Example1

This is the general set up that I have with names replaced for confidentiality. Let me know if you need further information and I will see what I can provide without breaching confidentiality. Thank you.

Now Kashif your answer is the equivalent to "I don't know the answer to your question, but to sound smart I will tell you where to look for it." That doesn't help me at all since I have referenced that and several Youtube videos. I know where to look I just don't know based on the information provided what I am doing wrong.

UPDATE: I have figured out the problem. It seems the administrator who initially stood this up set up a default parameter to "permit" access even if the rules don't apply. I flipped the switch to deny and viola. So to those who are encountering this issue please look at the very bottom of the list for "Default" and modify those settings.

Jatin Katyal · ‎02-28-2014

Thanks for updating and closing the thread. The Default rule by-default set for deny access so that if the legimitate user doesn't match any rule defined by the ACS administration he should get deny access. In your case it was set to Permit so both type of users getting access (member and non-member of AD groups).

The best way to troubleshoot this kind of issues is to look at Monitoring and Troubleshooting > User attempt > Magnifying glass. There you will see how this user got permit access.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin