cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2063
Views
0
Helpful
6
Replies

ACS tacacs+ via generic ldap to AD

bigbrother74
Level 1
Level 1

Hi

I configured ACS to use generic ldap access to active directory via radius. That was very, very easy.

How can I configure the same through tacacs+ ??? Is it possible to use generic ldap to AD over tacacs+???

Tnax for help

bb

1 Accepted Solution

Accepted Solutions

In that case, try and configure a Generic LDAP External User Database, as you probably did already:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

and configure the Unknown User Policy Option to check in this database.

As long as you don't use NAPs tacacs should work.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

View solution in original post

6 Replies 6

mattiaseriksson
Level 3
Level 3

I don't quite understand the question, but you can use either radius or tacacs+ to query the ACS, which can be configured to use generic LDAP to query any back end LDAP compatible directory. You can use the ACS to integrate multiple different back end directory servers, and let network devices use radius OR tacacs+ to query the ACS.

@ mattiaseriksson

In detail I configured ACS AAA clients to use radius. Then I created a generic ldap connection to MS active directory and mapped this connection in "Network Access Profile" with the Radius (IETF).

But if I configure AAA client with tacacs I could not create a "Network Access Profile" because acs says me that only radius is supported.

I used the following Link to configure:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a0080721dab.html

You can see in "Figure 4-8 Network Access Profiles Page" under "Protocol types" there are just radius supported... ??? Why not tacacs???

That's why I configured the AAA Client with radius and not with tacacs. But if I like to configure "Shell Command Authorization Sets" then I have to use it with tacacs...

So I'm very confused with the ACS 4.1 Server. This is not really userfriendly to configure.

My question after all these things.

How do I configure acs with tacacs to use generic ldap to verify users from active directory???

Thanx for any help

bb

Ok, so your question should really be: "How do I configure ACS to use Tacacs+ with Network Access Profiles?"

The answer is you can't because Tacacs+ is not yet supported with NAP:s.

The only thing you can do is to use "Grant access using global configuration, when no profile matches".

But that will probably not work with Agentless Host Support, if that is what you are trying to do.

Hi

At this point I'm just interested to how to configure acs with tacacs to use generic ldap to verify users from active directory?

This is just the thing I will do...

Thanx for help

bb

In that case, try and configure a Generic LDAP External User Database, as you probably did already:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

and configure the Unknown User Policy Option to check in this database.

As long as you don't use NAPs tacacs should work.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

Many thanx it helps me al lot :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: