08-16-2012 10:16 PM - edited 03-10-2019 07:26 PM
Hi There
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.
My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple. Please kindly assist.
Solved! Go to Solution.
08-16-2012 10:39 PM
You can only authenticate against one Active Directory Domain. If you have users of multiple domains, then the domain you configure in ISE must trust the other domains.
On the other hand, if you use plain LDAP then it does support multiple LDAP servers.
Hope it helps
08-16-2012 10:53 PM
Hi,
ACS 5.4 is coming out soon, that is going to allow you to join multiple AD domains.
Here is the current documentation:
multiple ldap instances -
RSA only supported in one realm -
ACS 5.3 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS instances.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 10:54 PM
Here are the links. Please rate if it helps
Multiple LDAP Instances
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1118244http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wpmkr1896135
You can create more than one LDAP instance in ISE. By creating more than one LDAP instance with different IP addresses or port settings, you can configure ISE to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ISE LDAP identity source instance.
Support for Multidomain Forests
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999
ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.
08-16-2012 10:39 PM
You can only authenticate against one Active Directory Domain. If you have users of multiple domains, then the domain you configure in ISE must trust the other domains.
On the other hand, if you use plain LDAP then it does support multiple LDAP servers.
Hope it helps
08-16-2012 10:46 PM
External Identity Stores
Key changes in ACS 5.3:
•ACS 5.3 joins Active Directory (AD) directly and does not rely on a domain-joined Windows Server. ACS Remote Agent is not required.
•ODBC databases are not supported in ACS 5.3, but other identity stores are supported including LDAP directories and one-time password servers.
•ACS 5.3 adds RADIUS Identity Store for RADIUS-based one-time passwords servers and for RADIUS proxy where proxy response attributes are required for access policy.
•ACS 5.3 adds the ability for AD and LDAP user attributes to be used in addition to user group membership, in access policy.
•Identity store lists, provided by the unknown user policy in ACS 3.x and 4.x, are configured using identity store sequences in ACS 5.3. There is no concept of a dynamic user in ACS 5.3.
The External Identity Store configuration is similar to the External User Databases in ACS 3.x and 4.x. In ACS 5.3, external identity stores are configured and ACS communicates with them for authentication and authorization.
For Active Directory, ACS 5.3 joins an AD domain, rather than leveraging the underlying Windows operating system similar to ACS 3.x and 4.x. ACS 5.3 relies on trust relationships between its domain and other domains to perform cross-domain authentication as in ACS 3.x and 4.x.
You must enter the username and password credentials in the ACS 5.3 configuration for ACS to join and communicate with the AD domain. The credentials must have sufficient permissions to create a computer object. If a user's AD group membership and attribute information is required for access policy, they must first be selected in the AD configuration.
LDAP directory configuration is similar to ACS 3.x and 4.x. Multiple LDAP directories can be defined in ACS 5.3 similar to ACS 3.x and 4.x. The LDAP directory configuration allows you to select groups and attributes for use in the access policy.
For one-time password authentication, ACS 5.3 supports the RSA SecurID native interface by configuring RSA SecurID Token Servers. For non-RSA one-time password servers, RADIUS interaction can be configured using the RADIUS Identity Server option.
08-16-2012 10:54 PM
Here are the links. Please rate if it helps
Multiple LDAP Instances
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1118244http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wpmkr1896135
You can create more than one LDAP instance in ISE. By creating more than one LDAP instance with different IP addresses or port settings, you can configure ISE to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ISE LDAP identity source instance.
Support for Multidomain Forests
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999
ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.
08-16-2012 10:53 PM
Hi,
ACS 5.4 is coming out soon, that is going to allow you to join multiple AD domains.
Here is the current documentation:
multiple ldap instances -
RSA only supported in one realm -
ACS 5.3 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS instances.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide