Re: ACS Radius Setup

dconstantino · ‎07-27-2004

I have a customer that whats to authencate to a ACS 3.2 to the Windows 2000 server DC. So users have to logon the AD from a wireless connection. I am a little confused on the ACS piece of it. Any help would be great.

gamccall · ‎07-27-2004

Is your question specifically about how to configure the ACS to authenticate against an AD? That part is pretty straightforward- join the ACS into the domain, configure the Windows database as needed under the External Database options, and set the Unknown User policy to check the windows database.

If you're using the ACSE appliance instead of a standard hardware platform, you have to set up a separate PC to act as a remote agent, since the appliance cannot be joined directly to the domain.

Does that answer your questions? If not, could you clarify what your questions are?

dconstantino · ‎07-27-2004

Just to give you more information I need laptop users to log into Cisco WAPS with there windows login like they are wired. I notified TAC and they said use LEAP. Your way sounds better unless your wireless.

If I configure ACS to do radius can I still use the tacacs piece. For switch and router access.

gamccall · ‎07-28-2004

What you do is create two ACS entries for each access point, one for radius and one for tacacs. Put all the radius instances in one network device group, and authorize all your wireless users for that group. Then put all the tacacs entries in a different group, and only authorize your network admins on that group. This allows you to differentiate between authenticating *to* a device (tacacs) versus authenticating *through* a device (radius).

I believe it's possible to set up wireless access using the Windows logon under either LEAP or PEAP.

dconstantino · ‎07-28-2004

Thanks for the information. LEAP is what I am using for windows.