Re: Using ACS Appliance for AAA to Network Device and DOT1X Auth

dwhisinnand · ‎10-06-2005

I would like to perform the following in our environment. I currently have CS ACS Appliance v3.3. I plan to install CS Remote Agent on a Windows 2003 Domain Controller for the backend authentication database using A/D.

Goal: I want to use the ACS to perform authentication for the 5 employees from the Network Team on our network switches and routers using ACS TACACS+. The Network Team needs exec privileges. I would also like to perform DOT1X machine and user authentication using the same ACS as a Radius. General users will not have access to Network Switches and Routers.

Questions I hope you can answer:

1) Do I need to create a group in A/D with just the Network Team accounts and map an ACS group to that A/D group? I assume this will not be the default group in ACS because the Unknown user policy will put general users in this group when they first authenticate if I do not create each user account in a specified group?

2) Do I need to create a group in ACS with the host names of the computers and the user accounts?

3) Has anyone else tried this configuration?

4) Are there any sample deployment docs available that address this specific configuration?

Thanks for any information.

andrewclymer · ‎10-11-2005

The problem you have with using AD accounts for 802.1x auth as well as Network admin is mapping the groups. You can't map groups based on service being requested so unless all your Network Team accounts map to the same group you would have used for 802.1x then you have a problem

So the best option is probably to create seperate acccounts inside ACS for network admins, ( a shame I know since passwords will not be in step ).

As for deployment docs there is a white paper I co-authored that describes how to get the most out of T+ Network Admin access.

You can find it via Extraxi's web site

http://www.extraxi.com/TDA.htm

And Select the "Building Scalable T+ Device Mgmt link"