Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3073
Views
0
Helpful
4
Replies

Cisco ACS 5.3 connect to multiple identity stores / external database?

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-16-2012 10:16 PM - edited ‎03-10-2019 07:26 PM

Hi There

I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.

My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple. Please kindly assist.

Warm regards,
Ramraj Sivagnanam Sivajanam
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎08-16-2012 10:39 PM

You can only authenticate against one Active Directory Domain. If you have users of multiple domains, then the domain you configure in ISE must trust the other domains.

On the other hand, if you use plain LDAP then it does support multiple LDAP servers.

Hope it helps

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Eduardo Aliaga

‎08-16-2012 10:53 PM

Hi,

ACS 5.4 is coming out soon, that is going to allow you to join multiple AD domains.

Here is the current documentation:

multiple ldap instances -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1053126

RSA only supported in one realm -

ACS 5.3 supports only one RSA realm. You can  configure the settings for the RSA realm. A single realm can contain  many ACS instances.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Eduardo Aliaga
Level 4
Level 4
In response to Ramraj Sivagnanam Sivajanam

‎08-16-2012 10:54 PM

Here are the links. Please rate if it helps

Multiple LDAP Instances

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1118244http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wpmkr1896135

You can create more than one LDAP instance in ISE. By creating more than one LDAP instance with different IP addresses or port settings, you can configure ISE to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ISE LDAP identity source instance.

Support for Multidomain Forests

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999

ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎08-16-2012 10:39 PM

You can only authenticate against one Active Directory Domain. If you have users of multiple domains, then the domain you configure in ISE must trust the other domains.

On the other hand, if you use plain LDAP then it does support multiple LDAP servers.

Hope it helps

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Eduardo Aliaga

‎08-16-2012 10:46 PM

External Identity Stores

Key changes in ACS 5.3:

ACS 5.3 joins Active Directory (AD) directly and does not rely on a domain-joined Windows Server. ACS Remote Agent is not required.

ODBC databases are not supported in ACS 5.3, but other identity stores are supported including LDAP directories and one-time password servers.

ACS 5.3 adds RADIUS Identity Store for RADIUS-based one-time passwords servers and for RADIUS proxy where proxy response attributes are required for access policy.

ACS 5.3 adds the ability for AD and LDAP user attributes to be used in addition to user group membership, in access policy.

Identity store lists, provided by the unknown user policy in ACS 3.x and 4.x, are configured using identity store sequences in ACS 5.3. There is no concept of a dynamic user in ACS 5.3.

The External Identity Store configuration is similar to the External User Databases in ACS 3.x and 4.x. In ACS 5.3, external identity stores are configured and ACS communicates with them for authentication and authorization.

For Active Directory, ACS 5.3 joins an AD domain, rather than leveraging the underlying Windows operating system similar to ACS 3.x and 4.x. ACS 5.3 relies on trust relationships between its domain and other domains to perform cross-domain authentication as in ACS 3.x and 4.x.

You must enter the username and password credentials in the ACS 5.3 configuration for ACS to join and communicate with the AD domain. The credentials must have sufficient permissions to create a computer object. If a user's AD group membership and attribute information is required for access policy, they must first be selected in the AD configuration.

LDAP directory configuration is similar to ACS 3.x and 4.x. Multiple LDAP directories can be defined in ACS 5.3 similar to ACS 3.x and 4.x. The LDAP directory configuration allows you to select groups and attributes for use in the access policy.

For one-time password authentication, ACS 5.3 supports the RSA SecurID native interface by configuring RSA SecurID Token Servers. For non-RSA one-time password servers, RADIUS interaction can be configured using the RADIUS Identity Server option.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/guide/Migration_Configure.html

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
Eduardo Aliaga
Level 4
Level 4
In response to Ramraj Sivagnanam Sivajanam

‎08-16-2012 10:54 PM

Here are the links. Please rate if it helps

Multiple LDAP Instances

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1118244http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wpmkr1896135

You can create more than one LDAP instance in ISE. By creating more than one LDAP instance with different IP addresses or port settings, you can configure ISE to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ISE LDAP identity source instance.

Support for Multidomain Forests

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999

ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Eduardo Aliaga

‎08-16-2012 10:53 PM

Hi,

ACS 5.4 is coming out soon, that is going to allow you to join multiple AD domains.

Here is the current documentation:

multiple ldap instances -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1053126

RSA only supported in one realm -

ACS 5.3 supports only one RSA realm. You can  configure the settings for the RSA realm. A single realm can contain  many ACS instances.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents