03-24-2011 06:48 AM - edited 02-21-2020 10:26 AM
Hi all!
Does anybody have any detalied knowledges about Cisco ACS 5.1 and Windows AD interaction? I wonder why does Cisco ACS domain account must have permission to create/delete domain objects. This fact does really surprided me, because to my mind Cisco ACS only reads domain structure, and does not make any changes.
03-25-2011 05:03 AM
Yes, the question was asked already multiple times. The developpers confirmed that this is for ACS to create its own computer account when joining the domain.
You can work around it by pre-creating the ACS machine account on AD, but if for some reason (and it does happen from times to times), ACS leaves the domain and the machine account is deleted ... you have to re-do it again :-)
Regards,
Nicolas
03-28-2011 11:20 AM
The problem is - my customer do not understand the necessity of creating the account with administrative (or create/delete computer objects) rights. As I understand, if I try to integrate the Cisco ACS and Windows AD using LDAP, so the account for ACS server can just be a user account in domain. I think this is the best decision in my situattion. By the moment I have two questions.
1) When Integrating Cisco ACS and Windows AD using LDAP will I be able to use Radius attributes? For example downloadable access lists for auth-proxy users or remote access users.
2) What can be the problem with adding LDAP groups to Cisco ACS? I can not see any LDAP group in Cisco ACS Directory Group tab.
My parameters are the folowing:
Subject Object Class: Person
Group Object Class: group
Subject Name Attribute: sAMAccountname
Group Name attribute: memberof
Subject Search Base: dc=lab, dc=net
Group Object Base: dc=lab, dc=net
Test bind to server: Bind test successful. Found 10 groups and 35 objects.
03-28-2011 10:39 PM
If you read my last message, it says "machine" account. ACS needs a user AND machine account on AD.
1) I'm not sure to understand your question because there is no relation. It's on ACS that you determine what to send back (ACL or whatever), so any attribute you can retrieve on LDAP can be used to make policies and depending on those policies, you return what you want.
2) You need to type a group name that exists in LDAP and add it. This means you have to tell ACS which group you are going to use. ACS cannot make policies and showing you the list of groups on LDAP, you need to define first which groups out of the ldap you will be using and that selection is shown when you make policies.
Why using AD as LDAP anyway and not join ACS to the domain ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide