ACS tacacs+ via generic ldap to AD

Answered Question
Jul 11th, 2007
User Badges:

Hi


I configured ACS to use generic ldap access to active directory via radius. That was very, very easy.


How can I configure the same through tacacs+ ??? Is it possible to use generic ldap to AD over tacacs+???



Tnax for help


bb

Correct Answer by mattiaseriksson about 9 years 10 months ago

In that case, try and configure a Generic LDAP External User Database, as you probably did already:


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718


and configure the Unknown User Policy Option to check in this database.


As long as you don't use NAPs tacacs should work.



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mattiaseriksson Wed, 07/11/2007 - 05:56
User Badges:
  • Bronze, 100 points or more

I don't quite understand the question, but you can use either radius or tacacs+ to query the ACS, which can be configured to use generic LDAP to query any back end LDAP compatible directory. You can use the ACS to integrate multiple different back end directory servers, and let network devices use radius OR tacacs+ to query the ACS.

bigbrother74 Wed, 07/11/2007 - 06:53
User Badges:

@ mattiaseriksson


In detail I configured ACS AAA clients to use radius. Then I created a generic ldap connection to MS active directory and mapped this connection in "Network Access Profile" with the Radius (IETF).


But if I configure AAA client with tacacs I could not create a "Network Access Profile" because acs says me that only radius is supported.


I used the following Link to configure:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a0080721dab.html


You can see in "Figure 4-8 Network Access Profiles Page" under "Protocol types" there are just radius supported... ??? Why not tacacs???


That's why I configured the AAA Client with radius and not with tacacs. But if I like to configure "Shell Command Authorization Sets" then I have to use it with tacacs...


So I'm very confused with the ACS 4.1 Server. This is not really userfriendly to configure.


My question after all these things.


How do I configure acs with tacacs to use generic ldap to verify users from active directory???


Thanx for any help


bb



mattiaseriksson Wed, 07/11/2007 - 07:22
User Badges:
  • Bronze, 100 points or more

Ok, so your question should really be: "How do I configure ACS to use Tacacs+ with Network Access Profiles?"


The answer is you can't because Tacacs+ is not yet supported with NAP:s.


The only thing you can do is to use "Grant access using global configuration, when no profile matches".


But that will probably not work with Agentless Host Support, if that is what you are trying to do.

bigbrother74 Wed, 07/11/2007 - 21:48
User Badges:

Hi


At this point I'm just interested to how to configure acs with tacacs to use generic ldap to verify users from active directory?


This is just the thing I will do...


Thanx for help


bb

Correct Answer
mattiaseriksson Thu, 07/12/2007 - 00:48
User Badges:
  • Bronze, 100 points or more

In that case, try and configure a Generic LDAP External User Database, as you probably did already:


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718


and configure the Unknown User Policy Option to check in this database.


As long as you don't use NAPs tacacs should work.



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

Actions

This Discussion