04-06-2013 01:03 PM - edited 02-21-2020 10:28 AM
Can we integrate cisco acs verison 5.x with active direcotry microsoft windows server 2012 ?
04-07-2013 09:43 AM
Yes. AD integration is a key function of all versions of ACS and is quite commonly deployed that way.
Windows Server 2012 support specifically was introduced as of ACS 5.4, Patch 2 (released February 2013). This is noted in the Compatibility Guide.
The configuration guide has details here.
04-21-2014 06:38 AM
Hi Marvin,
Hope you're well!
I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
aaa new-model |
! |
aaa authentication login default none |
aaa authentication login ACS group tacacs+ local |
aaa authentication enable default group tacacs+ enable |
aaa authorization exec ACS group tacacs+ local |
aaa authorization commands 15 ACS group tacacs+ local |
aaa accounting exec ACS start-stop group tacacs+ |
aaa accounting commands 15 ACS start-stop group tacacs+ |
aaa authorization console |
! |
aaa session-id common |
! |
tacacs-server host 10.X.Y.11 |
tacacs-server timeout 20 |
tacacs-server directed-request |
tacacs-server key gacakey |
!
line vty 0 4 |
session-timeout 5 |
access-class 5 in |
exec-timeout 5 0 |
login authentication ACS |
authorization commands 15 ACS |
authorization exec ACS |
accounting commands 15 ACS |
accounting exec ACS |
logging synchronous |
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Regards,
04-21-2014 02:12 PM
Your device-side setup looks fine. I suspect it's on the AD or ACS-AD end.
Have you had a look at the configuration guide example for ACS-LDAP here? It has some tips on verifying the ACS-LDAP connectivity.
Once you've confirmed the simple ones there are check out OK, we can look more closely at what remaining issues (if any) you might be seeing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide