Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
1
Replies

Cisco ACS Authentication/Authorization

smolz
Level 4
Level 4

‎01-22-2015 04:47 PM - edited ‎03-10-2019 10:22 PM

I have ACS 5.6 running and have it integrated with Active Directory.  It is also connected to a cloud based radius server for 2-factor auth.

 

What i would like to be able to do is when a user tries to log into a network device(router/switch/etc.) they would type in their AD username and their 2-factor password.  This would get authenticated against the cloud radius server and either pass or fail authentication, but I would also like to be able to allow access based on AD group membership.  This would be to allow some staff access to some devices, but not others, and some users would have access to all devices?

Labels:
0 Helpful
1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-24-2015 07:57 AM

If the integration between ACS 5.6 and Cloud based radius / AD has been done then the next step is to :

1. Active Directory > Directory Groups > Select the AD groups you want to use for in your authorization conditions.

2. create an identity source sequence with Cloud based radius server selected inside the authentication section and AD inside additional attribute retrieval say RSA-AD

3. While creating the authorization rule in access-policies use External AD group in condition to accomplish your goal.

Access Policies > Default Network Access > Authorization > Customize > Move "AD1:External Groups" from Available to selected section > ok

Note: Don't forget to call RSA-AD in identity under default network access.

4. test the authentication and report back if needed.

 

Regards,

Jatin

 

~Jatin
0 Helpful
Customers Also Viewed These Support Documents