cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7815
Views
0
Helpful
6
Replies

ACS Integration with Microsoft Active Directory Services

Hello Everyone,

I've been tasked to design the integration of ACS with MS AD. What I want to know is the below assuming I have a software ACS or a ACS device and the protocol for authentication is Radius

- What is the criteria for the AD to integrate with ACS software of appliance

- Should that AD be hosted on the domain controller or not?

- If not, on what (Domain Controller, Tree, Forest, Branch, Flower, Fruit  ) should the AD be hosted on?

- What will I have to do to authenticate users logging into Cisco Security Manager with ACS integrated with AD?

- Are there any other dependencies that I will have to categorically mention in my design document?

Thanks,

Rishi

2 Accepted Solutions

Accepted Solutions

maldehne
Cisco Employee
Cisco Employee

First of all i love the flower fruit one keep it up.

If ACS is for windows it can be either installed on member server or domain controller. For detailed info about the post installation tasks needed to have full integration, please check the following link which contains fancy things you are looking for:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202

If ACS is soultion engine then you need special piece of software called remote agent to be installed either on member server or domain controller , also check the following link for more details on how to integrate it with AD:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html

I hope this has been informative to you.

-----------------------------------------------------------------------------

Please make sure to rate correct answers

View solution in original post

spindoctor64
Level 1
Level 1

In ACS v5.x, there is a screen for integrating the ACS with AD. 

     (Users and Identity Stores > External Identity Stores > Active Directory)

Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain.  This allows you to use existing AD credentials to login and administer your network devices. 

Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts.  The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices. 

The authentication would occur like this:

  1. User SSH/telnet/console to device
  2. Device contacts ACS using TACACS or RADIUS
  3. User receives login prompt and enters AD credentials
  4. Devices sends credentials to ACS
  5. ACS validates credentials in AD
  6. ACS sends authentication OK message to Device
  7. Device logs user in.

Command Authorization looks something like this:

  1. User enters a command
  2. Device sends command authorization request to ACS
  3. ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
  4. Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
  5. Device allows or denies the user command.

Criteria:  We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.

AD is hosted on our local domain controller (Bonus:  no planting of flowers required!)

Dependencies: 

Issue:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.

          Device ---> ACS ---> AD

Solution:  Configure the Device to look at ACS first, then a local table if ACS is not available.  Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available.  (You can configure local user accounts on the Device and in the ACS) 

          Device ---> ACS ---> AD

          Device ---> ACS ---> AD ---> ACS local

          Device ---> ACS ---> AD ---> ACS local ---> Device local

The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy.  It is far FAR superior to the old ACS v3.3 that we had for years.

I hope this helps for your design document!

--Chris

View solution in original post

6 Replies 6

maldehne
Cisco Employee
Cisco Employee

First of all i love the flower fruit one keep it up.

If ACS is for windows it can be either installed on member server or domain controller. For detailed info about the post installation tasks needed to have full integration, please check the following link which contains fancy things you are looking for:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202

If ACS is soultion engine then you need special piece of software called remote agent to be installed either on member server or domain controller , also check the following link for more details on how to integrate it with AD:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html

I hope this has been informative to you.

-----------------------------------------------------------------------------

Please make sure to rate correct answers

spindoctor64
Level 1
Level 1

In ACS v5.x, there is a screen for integrating the ACS with AD. 

     (Users and Identity Stores > External Identity Stores > Active Directory)

Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain.  This allows you to use existing AD credentials to login and administer your network devices. 

Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts.  The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices. 

The authentication would occur like this:

  1. User SSH/telnet/console to device
  2. Device contacts ACS using TACACS or RADIUS
  3. User receives login prompt and enters AD credentials
  4. Devices sends credentials to ACS
  5. ACS validates credentials in AD
  6. ACS sends authentication OK message to Device
  7. Device logs user in.

Command Authorization looks something like this:

  1. User enters a command
  2. Device sends command authorization request to ACS
  3. ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
  4. Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
  5. Device allows or denies the user command.

Criteria:  We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.

AD is hosted on our local domain controller (Bonus:  no planting of flowers required!)

Dependencies: 

Issue:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.

          Device ---> ACS ---> AD

Solution:  Configure the Device to look at ACS first, then a local table if ACS is not available.  Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available.  (You can configure local user accounts on the Device and in the ACS) 

          Device ---> ACS ---> AD

          Device ---> ACS ---> AD ---> ACS local

          Device ---> ACS ---> AD ---> ACS local ---> Device local

The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy.  It is far FAR superior to the old ACS v3.3 that we had for years.

I hope this helps for your design document!

--Chris

Chris, your solutions have helped me a lot. Thanks for your support. I still have a question though

How to replicate AD database to ACS, just in case AD lookup fails.

Thanks,

Rishi

As mentioned in subsequent reply there is no (easy) way to replicate AD users to ACS - would also need to synchroiniize passwords etc

As mentioned above if have a sequence that first checks AD and then internal users you can have some "recovery" accounts in the internal user database.

Note there is an important option related to identity sequences that needs to be set (available from ACS 5.3 onwards)

If access to the current identity store failed

Break Sequence

Continue to next identity store in the sequence

This ensures that if the AD store cannot be reached; ie do not get a response to the request it will continue in the sequence and look up the user in the internal database

Note there are additional failover options that can be selected for the identity policy. In the advanced options can configure what should be done in each of the following three cases (shown with their default settings)

If authentication failed (reject)

If user not found (reject)

If process failed (drop)    /// could not access DB

Can change any of these to be continue. In this case the prcoessing continues to the authorization policy and can defined policies based on the values for the following condition "AuthenticationStatus" and can select from the values available that indicate what the authentication result was

This is the failover /recovery options that are available

One more, It may sound idiotic, but just thought of asking, can AD user profiles be replicated to the device too?

Thanks,

Rishi

You cannot replicate users from AD to the ACS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: