Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3726
Views
0
Helpful
0
Comments

ACS Integration with Microsoft Active Directory Services

Prabhu Nagarajan
Level 1
Level 1

‎05-30-2012 11:27 PM - edited ‎02-21-2020 09:58 PM

 

 

Steps to Integarate ACS with Microsoft Active Directory:

 

1)Choose Users and Identity Stores > External Identity Stores > Active Directory.

 

2)Now enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain. This allows you to use existing AD credentials to login and administer your network devices.

 

Although tying the ACS to AD takes only one screen and less than a minute, you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence by going to Users and Identity Stores > Identity Store Sequences to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts. 

 

Authentication Process:

The Authentication process happen as mentioned below:

 

1)User tries to SSH/telnet/console to device.

2)The Device contacts ACS using TACACS or RADIUS.

3)User receives login prompt and enters the AD credentials.

4)Devices sends the credentials to ACS.

5)ACS validates the credentials in AD.

6)ACS sends the authentication OK message to the Device.

7)Device logs the user in.

 

Command Authorization:

The Command Authorization process happens as mentioned below:

 

1)User enters a command.

2)Device sends command authorization request to ACS.

3)ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group.

4)Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device.

5)Device allows or denies the user command.

 

If ACS is for windows it can be either installed on member server or domain controller. For detailed info about the post installation tasks needed to have full integration, please refer the URL below:

 

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202

 

If ACS is solution engine then you need special piece of software called remote agent to be installed either on member server or domain controller , also check the following link for more details on how to integrate it with AD:

 

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html

 

Troubleshooting:

Problem:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.

          Device ---> ACS ---> AD

 

Solution:   Configure the Device to look at ACS first, then a local table if ACS is  not available.  Also, configure the ACS to look at AD first, then a  local ACS account list if AD is not available.  (You can configure local  user accounts on the Device and in the ACS) 

          Device ---> ACS ---> AD

          Device ---> ACS ---> AD ---> ACS local

          Device ---> ACS ---> AD ---> ACS local ---> Device local

 

Source:https://supportforums.cisco.com/thread/2150083?tstart=0

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents