Solved: Re: Dual databases on ACS?

mcdonalda · ‎05-09-2004

Dear Sirs,

We have an ACS Server with a connection to an external LDAP database with thousands of names, for Cisco VPN 3060 user authentication. The ACS was installed as a temporary solution, until native LDAP support is available on VPN.

At the same time we are deploying new network based on Catalyst 3750 but we are not using any AAA for switch/router administration as yet, but would like to set one up for about a dozen names.

Q1. Would it be sensible/possible to to use the existing VPN ACS Server with an separate internal database for switch/router administration AAA?

Q2. If so, how could it be configured so as not to interfere with its existing role as a "VPN radius to ldap converter" Alternatively, would another type of box be more sensible for the role?

I appreciate very much any advice given.

Thanks

Andrew

d.parks · ‎05-10-2004

You would want to setup a group with the admin userid's in ACS though you could still use LDAP for password checking if you'd like.

To ensure that people are only allowed access to the appropriate devices, you'll want to setup network device groups for your hardware and assign network restrictions to the user groups.

I have my ACS doing lots of different things, but the more I try to have it do, the more complex things get from a security perspective.

View solution in original post

d.parks · ‎05-10-2004

You would want to setup a group with the admin userid's in ACS though you could still use LDAP for password checking if you'd like.

To ensure that people are only allowed access to the appropriate devices, you'll want to setup network device groups for your hardware and assign network restrictions to the user groups.

I have my ACS doing lots of different things, but the more I try to have it do, the more complex things get from a security perspective.