cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

490
Views
5
Helpful
4
Replies
N3t W0rK3r
Participant

How to Configure ACS 5.8 for AAA authentication to AD

I am setting up a new installation of ACS v5.8 from scratch to replace our ACS4.1 solution.

I have got to the point where I have the new ACS server authenticating device admin access using an internal identity store user just fine.  I then connected it successfully to our AD domain. I have selected an AD group to query under the Directory Groups tab of the External Identity Store/Active Directory and have tried to create appropriate device admin identity and authorization policies to reference the AD group using a condition.

Login attempts from device admins are failing.  When I check the ACS logs and policy hit counts, its clear that my AD-based device admin identity/auth policies are not being matched.  Obviously I have done something wrong or not completely and I'm looking for some guidance.

Thanks,

John

4 REPLIES 4
Javier Henderson
Enthusiast

John,

On the authentication report page, click on the magnifying glass for a test authentication to get the details, then scroll down to see what attributes were retrieved from AD for that user, and see if you can determine why the intended authorization policy was not matched.

Javier Henderson

Cisco Systems

Thanks Javier.  

My problem right now is that AD is NOT being queried at all.  The second identity rule, which I expect to be hit to query AD, is not being hit. See attached.

Javier,

I was able to get it to work by changing the Identity source in my Rule-1 ID policy from internal users (only) to an id sequence Internal-AD.

Not exactly sue why this worked, however... I would have thought that Rule-2 would have matched.

Oh well.

Thanks for your help.

John

The list is evaluated top to bottom, and exits on the first match. In this case, it matched Rule-1 and it stopped there.

Javier Henderson

Cisco Systems

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel