cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

121
Views
0
Helpful
0
Replies
Highlighted
Beginner

Cisco ACS - Use Identity Sequence for ACS logins

Currently my ACS installation is using AD for ACS administrative logins (as opposed to device logins). Basically there is one AD group of users who are ACS "Device Admins" and one AD group for ACS "SuperAdmins". Our security folks have been bugging us about migrating to two-factor for ACS administrative logins but that was not supported.

 

However, now ACS 5.8 is out and in the release notes it says that it supports RSA two-factor authentication for login to ACS itself. While I can see how to select RSA for the Identification part, I cannot see how to use AD groups for the Authorization part. Under System Administration->Administrative Access Control->Identity I can not see any of my Identity Sequence's, only my Identity sources, hence I have no way to select which additional attributes to pull from AD like I do for device logins so while authentication succeeds, authorization fails. I have this exact scenario working for device login access using an identity sequence but I cannot find out how to use that same identity sequence for ACS administrative access.

 

The question is how can I use RSA two-factor for ACS administrative logins and use AD groups for administrative  authorization?

0 REPLIES 0