ACS to AD Authentication (w/out adding users to ACS)

Unanswered Question
Aug 7th, 2008
User Badges:

We are looking to have our cisco vpn client users authenticate to AD. We don't want to add the users in ACS but still point our ASA > ACS > AD. I.e, we don't want to add a new employee into ACS but still permit him to VPN (ACS)in and auth against AD. I know we can point ASA to IAS directly and bypass ACS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jagdeep Gambhir Thu, 08/07/2008 - 11:12
User Badges:
  • Red, 2250 points or more

If you have acs using active directory database then user will always be in AD and not is acs.

ACS will do the authen lookup from AD.

VPN Client--->VPN Server---->ACS---->AD.

In this set up no need to add user in acs.



Do rate helpful posts

danieldiaz Thu, 08/07/2008 - 13:12
User Badges:

Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?

charrellc011699 Thu, 08/07/2008 - 14:06
User Badges:

Look into the "Unknown User Policy" - ACS checks local database first, then follows the unknown user policy if the user doesn't exist locally.

For example - VPN-John Doe is an account in local ACS database and VPN-Joe Smith is an account in the (external) AD database.

Scenario 1: VPN-John Doe initiates a VPN connection - ACS challenges the user for username/password and looks locally, finds this user in its local database and authenticates or rejects the credentials supplied.

Scenario 2: VPN-Joe Smith initiates a VPN connection - ACS challenges the user for username/password and looks locally, does not find this account in its local database and follows the unknown user policy - if AD is your next defined external database, ACS will query AD for authentication or rejection.

Of course, that is a very simple explanation that leaves out per-user or per-group access restrictions that could differentiate between different users or different groups using NARs, Filters, etc.



This Discussion