Re: authenticate ACS 5.0 with controller 4400

khdouradtech · ‎01-10-2011

i want to authenticate WALN user from the acs 5.0 , and the acs integrated with AD but these users have account on the AD but there some PC.labtop not joined on the domian so can they authenticate without joine the PC or labtop to the domain using the user account that configured on AD which is integtated with ACS .

if i have tow AD one master the othere is backup , can i configure backup AD.

Pleas advise ASAP

Federico Ziliotto · ‎01-10-2011

Hi Ibrahim,

If you want to perform only user authentication through user accounts that are in AD, this should definitely be possible without having the PC joined to the AD domain (this would be used for machine authentication, so not your case).

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Jatin Katyal · ‎01-10-2011

Yes, They can autheticate unless you don't have MAR enabled on the ACS 5.0

You may check this under Managing user and indentity store >> Microosft active directory >> MAR (This option shouldn't be checked).

Machine access restriction (MAR) >> ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time.

I would suggest you to upgrade ACS to atleast 5.1 because......

The below listed Features are Not Supported IN ACS 5.0

The following features are not supported in ACS 5.0:

•Integration with RSA server or RADIUS Token One Time Password (OTP) servers.

•Integration with SQL DB via ODBC, for external authentication and identity information.

•The following Extensible Authentication Protocol (EAP) methods are not supported:

–LEAP

–EAP-FAST/GTC

–EAP-FAST/TLS

–PEAP/GTC

–PEAP/TLS

•Support for locally significant external resources (ID stores, and so on) in a distributed deployment.

•RADIUS and TACACS+ Proxy.

•Terminal server access control (port-based TACACS+ access control).

•Complete TACACS+ support for device administration (password change, and so on).

•RADIUS Virtual Private Network (VPN) and RADIUS-based device administration (for shell access to CLI for third-party network devices).

•ACS administrator and internal user password policies.

•Application access control for CiscoWorks applications.

•CSUtil features.

•Network access restriction to users whose Windows accounts have Windows dial-in permission.

•IP Pools Server feature.

•Support for defining the maximum number of simultaneous sessions for a user or user group.

Regards

Jatin

~Do rate helpful posts.

~Jatin

khdouradtech · ‎01-10-2011

thanks for support.

how we can upgrade to 5.1 and how we can install the OS .

and for the Wlan soulation anyone provide us document explain how we can configure with acs 5.1

Federico Ziliotto · ‎01-10-2011

Hi Ibrahim,

This is the procedure to upgrade from ACS 5.0 to 5.1:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html#wp1167547

For configuring the authentication of wireless users on ACS 5.1, here are the main concepts explaining the ACS policy model:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/policy_mod.html

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.