07-11-2007 05:03 AM - edited 02-21-2020 10:18 AM
Hi
I configured ACS to use generic ldap access to active directory via radius. That was very, very easy.
How can I configure the same through tacacs+ ??? Is it possible to use generic ldap to AD over tacacs+???
Tnax for help
bb
Solved! Go to Solution.
07-12-2007 12:48 AM
In that case, try and configure a Generic LDAP External User Database, as you probably did already:
and configure the Unknown User Policy Option to check in this database.
As long as you don't use NAPs tacacs should work.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm
07-11-2007 05:56 AM
I don't quite understand the question, but you can use either radius or tacacs+ to query the ACS, which can be configured to use generic LDAP to query any back end LDAP compatible directory. You can use the ACS to integrate multiple different back end directory servers, and let network devices use radius OR tacacs+ to query the ACS.
07-11-2007 06:53 AM
@ mattiaseriksson
In detail I configured ACS AAA clients to use radius. Then I created a generic ldap connection to MS active directory and mapped this connection in "Network Access Profile" with the Radius (IETF).
But if I configure AAA client with tacacs I could not create a "Network Access Profile" because acs says me that only radius is supported.
I used the following Link to configure:
You can see in "Figure 4-8 Network Access Profiles Page" under "Protocol types" there are just radius supported... ??? Why not tacacs???
That's why I configured the AAA Client with radius and not with tacacs. But if I like to configure "Shell Command Authorization Sets" then I have to use it with tacacs...
So I'm very confused with the ACS 4.1 Server. This is not really userfriendly to configure.
My question after all these things.
How do I configure acs with tacacs to use generic ldap to verify users from active directory???
Thanx for any help
bb
07-11-2007 07:22 AM
Ok, so your question should really be: "How do I configure ACS to use Tacacs+ with Network Access Profiles?"
The answer is you can't because Tacacs+ is not yet supported with NAP:s.
The only thing you can do is to use "Grant access using global configuration, when no profile matches".
But that will probably not work with Agentless Host Support, if that is what you are trying to do.
07-11-2007 09:48 PM
Hi
At this point I'm just interested to how to configure acs with tacacs to use generic ldap to verify users from active directory?
This is just the thing I will do...
Thanx for help
bb
07-12-2007 12:48 AM
In that case, try and configure a Generic LDAP External User Database, as you probably did already:
and configure the Unknown User Policy Option to check in this database.
As long as you don't use NAPs tacacs should work.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm
07-12-2007 06:56 AM
Many thanx it helps me al lot :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: