Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
3
Replies

Cisco ACS 5.1 + Windows AD

Petr Nagernyuk
Level 1
Level 1

‎03-24-2011 06:48 AM - edited ‎02-21-2020 10:26 AM

Hi all!

Does anybody have any detalied knowledges about Cisco ACS 5.1  and Windows AD interaction? I wonder why does Cisco ACS domain account must have permission to create/delete domain objects. This fact does really surprided me, because to my mind Cisco ACS only reads domain structure, and does not make any changes.

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎03-25-2011 05:03 AM

Yes, the question was asked already multiple times. The developpers confirmed that this is for ACS to create its own computer account when joining the domain.

You can work around it by pre-creating the ACS machine account on AD, but if for some reason (and it does happen from times to times), ACS leaves the domain and the machine account is deleted ... you have to re-do it again :-)

Regards,

Nicolas

0 Helpful

Petr Nagernyuk
Level 1
Level 1
In response to Nicolas Darchis

‎03-28-2011 11:20 AM

The problem is - my customer do not understand the necessity of creating the account with administrative (or create/delete computer objects) rights. As I understand, if I try to integrate the Cisco ACS and Windows AD using LDAP, so the account for ACS server can just be a user account in domain. I think this is the best decision in my situattion. By the moment I have two questions.

1) When Integrating Cisco ACS and Windows AD using LDAP will I be able to use Radius attributes? For example downloadable access lists for auth-proxy users or remote access users.

2) What can be the problem with adding LDAP groups to Cisco ACS? I can not see any LDAP group in Cisco ACS Directory Group tab.

My parameters are the folowing:

Subject Object Class: Person

Group Object Class: group

Subject Name Attribute: sAMAccountname

Group Name attribute: memberof

Subject Search Base: dc=lab, dc=net

Group Object Base: dc=lab, dc=net

Test bind to server: Bind test successful. Found 10 groups and 35 objects.

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Petr Nagernyuk

‎03-28-2011 10:39 PM

If you read my last message, it says "machine" account. ACS needs a user AND machine account on AD.

1) I'm not sure to understand your question because there is no relation. It's on ACS that you determine what to send back (ACL or whatever), so any attribute you can retrieve on LDAP can be used to make policies and depending on those policies, you return what you want.

2) You need to type a group name that exists in LDAP and add it. This means you have to tell ACS which group you are going to use. ACS cannot make policies and showing you the list of groups on LDAP, you need to define first which groups out of the ldap you will be using and that selection is shown when you make policies.

Why using AD as LDAP anyway and not join ACS to the domain ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents