If the integration between

smolz · ‎01-22-2015

I have ACS 5.6 running and have it integrated with Active Directory. It is also connected to a cloud based radius server for 2-factor auth.

What i would like to be able to do is when a user tries to log into a network device(router/switch/etc.) they would type in their AD username and their 2-factor password. This would get authenticated against the cloud radius server and either pass or fail authentication, but I would also like to be able to allow access based on AD group membership. This would be to allow some staff access to some devices, but not others, and some users would have access to all devices?

Jatin Katyal · ‎01-24-2015

If the integration between ACS 5.6 and Cloud based radius / AD has been done then the next step is to :

1. Active Directory > Directory Groups > Select the AD groups you want to use for in your authorization conditions.

2. create an identity source sequence with Cloud based radius server selected inside the authentication section and AD inside additional attribute retrieval say RSA-AD

3. While creating the authorization rule in access-policies use External AD group in condition to accomplish your goal.

Access Policies > Default Network Access > Authorization > Customize > Move "AD1:External Groups" from Available to selected section > ok

Note: Don't forget to call RSA-AD in identity under default network access.

4. test the authentication and report back if needed.

Regards,

Jatin

~Jatin

Cisco ACS Authentication/Authorization