This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
With Javier Henderson
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to install and configure the Cisco Secure Access Control System (ACS) with expert Javier Henderson.
The Cisco Secure ACS is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control in a centralized identity networking solution.
Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.
Remember to use the rating system to let Javier know if you've received an adequate response.
Because of the volume expected during this event, Javier might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, AAA, Identity and NAC, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.
To configure ACS to use Windows AD credentials for administrative access to the GUI once ACS has been joined to an AD domain:
1) Go to System Administration -> Administrators -> Administrative Access Control
2) Click on Identity, then for Identity Source select "AD1"
3) Click on Save Changes
4) Click on Authorization
5) Create an authorization policy with the desired criteria to grant access and grant the desired role
Complete, step by step instructions are available in the following document:
How can we integrate ACS with RSA Authentication Manager for two factor authentication.
How does the two factor authentication work in this integration scenario?
Is there any other App other than RSA, we can integrate with ACS for two factor authentication.
ACS supports the RSA product, in addition to other third party products as external user databases to provide two-factor authentication.
Details on the configuration steps can be found int he following document:
Please let me know if you have specific questions regarding ACS configuration once you had a chance to read that document.
An AD account which is required for the domain access in ACS, should have either of the following:
•Add workstations to the domain user in the corresponding domain.
•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).
Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the administrator if a wrong password is used for that account. This is because, if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
In terms of ipv6 is the platform ACS and protocols ready to receive ipv6 request, it would be very nice if we can create a simple network esenario where we can authenticate a user on 802.1x using nothing but ipv6 conectivity.
i hope my question bring more people together and we can discuss further.
thanks in advance for your answer.
My question is, in Cisco ACS 5.2 (VMWARE) if the ssh password is lost but I still have access to the web gui, can I create or change an account from there to be able to ssh into the system?
It is not possible to change the password for the shell users from the GUI.
However, you can change the password on the virtual console by booting from the virtual CD using the installation ISO image, one of the options is to reset the admin user password.