Solved: Cisco ACS AD authentication

spyrosandreou · ‎12-03-2013

Hi there !

Im currently deploying Cisco ACS 5.4 on our netwrok and im looking into some extra measures to secure authentication and authorization to devices.

I would like to ask if anyone has tips on the following since i may have been confused myself for wanting to do it this way.

Ok users as of now are authenticated from an external identity store (Active Directory). I would liek to know if theres a way to also authenticate these users or authorize them from ACS so that when for example the IT Department adds a user that should not be in a group, but the group is authenticated for a set of devices, that user will nto be able to access the devices.

A more simple explanation is as follows.

Groups e.t.c are ficitonal

I have group in AD called "Engineers" containing 2 users, user A and user B.

Engineers have a shell profile on ACS that grants them Super-user permissions/privileges on devices.

However Active Directory is managed by the IT department which might be social engineered to add user C in this group.

What i need to find out is a way to only allow user A and user B to access the devices while maintaining the shell profile with the AD group "Engineers"

I am aware of compund conditions in authorization profiles/rules. Will that mean i will have to create local users as well and assign them their passwords as well?

Im a bit confused as you can see...

Any help will be greatly appreciated!!!

Thanks!

Javier Henderson · ‎12-03-2013

Since user C would be added to the same group that already contains users A and B, and the authorization rule is configured to grant the super-user access based on users A and B membership on group Engineering, then user C will also be granted that access.

ACS has no way of knowing what users are members of the Engineering group, nor can it detect that user C has been incorrectly added.

If you want to use AD credentials, and at the same time maintain a canonical list of users for ACS to check, you will need to create local users on ACS, as you suggested above.

View solution in original post

Javier Henderson · ‎12-03-2013

Since user C would be added to the same group that already contains users A and B, and the authorization rule is configured to grant the super-user access based on users A and B membership on group Engineering, then user C will also be granted that access.

ACS has no way of knowing what users are members of the Engineering group, nor can it detect that user C has been incorrectly added.

If you want to use AD credentials, and at the same time maintain a canonical list of users for ACS to check, you will need to create local users on ACS, as you suggested above.

spyrosandreou · ‎12-03-2013

Hi javier and thanks for repying!

I truly understand what you are saying, whats the point of adding the external store if you will be authenticating users from another local one. I mean the whole point is to get everything from somewhere that is already organised and go from there.

But, what confused me into believing that this might be possible are the

Compound conditions and if there was some way for the ACS to match a kind of string to the already authenticated user coming from AD.

In any case i guess thats not possible so ill stop looking for a way to do it!