Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
2
Replies

CiscoSecure ACS 3.3 and MS Active Directory ?

tsgcisco
Level 1
Level 1

‎02-23-2005 07:53 AM - edited ‎03-10-2019 02:01 PM

We just got and installed CiscoSecure ACS 3.3 on a domain controller for our MS active directory domain.

ACS seems to work with AD in the sense that it uses the usernames and passwords contained in AD for users. However I noticed it does not seem to popluate ACS with the users, instead you have to go in to ACS and add each user with the username from AD, and then just tell it to use the windows database for password authentication.

Is this correct or am I missing something in my setup that is preventing users from being populated in ACS?

Also, can you not use AD groups for ACS permissions? For example one of the things we are doing is defining certain groups for access to routers, switches and firewall commands. I have been able to do this manually in ACS by defining a group and setting the permissions as well as the command authorization set. However it does not seem very practical to have to go in manually to ACS to add a user to an ACS group. I thought since ACS works with active directory it would also use AD groups. So we could assign a user to a group in AD and it would then utilize the defined ACS permissions for that group.

Labels:
0 Helpful
2 Replies 2

umedryk
Level 5
Level 5

‎03-01-2005 09:46 AM

To answer one of your questions, the set up looks correct and should work...

0 Helpful

sahong
Level 1
Level 1

‎03-03-2005 07:23 AM

I think you are a victim of the AD Aware as opposed to AD Integrated. CiscoSecure is AD Aware, it can use the AD database for Password authentication (a very simple implementation of single sign-on). But the local database is used for everything else. From my point of view this is a good thing.

If the AD Admin, Network Admin and Security officer are all the same person, then I agree with you.

From your message you seem to be using ACS to secure your Cisco devices (routers/switches), I would not want people who manage AD to be able to give network device access to anyone they choose. Nore do I trust AD admins to understand network security. Normally the network people are very small subset of IT organization, so this should not be a big problem. Also, the real component that you are using to secure the devices is TACACS+ (hopefully) or RADIUS because the devices are not AD Aware themselves.

If you need for every user that is in AD to be a user in ACS, there is import/export support for both for inital setup, after that it is up to you to keep the databases synchronized. You can do this with routine import/exports, but I advise against it.

If you are using ACS to manage a Dial or IPSec environment, I agree this is a pain, but do you really want everyone to be able to dial-in or VPN into your network without coming to you for access? Don't you want to be able to disable/expire peoples access for devices and remote access without calling the AD admin?

For the kind of things you want, you need an AD Integrated product like Exchange or you can try some of the vendors at listed at http://www.microsoft.com/windows2000/partners/adall.asp

FYI - This is my understanding of the product, I'm sure there are a lot of people out there that know more then me, so feel free to correct me.

0 Helpful
Customers Also Viewed These Support Documents