08-07-2008 08:31 AM - edited 03-10-2019 04:01 PM
We are looking to have our cisco vpn client users authenticate to AD. We don't want to add the users in ACS but still point our ASA > ACS > AD. I.e, we don't want to add a new employee into ACS but still permit him to VPN (ACS)in and auth against AD. I know we can point ASA to IAS directly and bypass ACS.
08-07-2008 11:12 AM
If you have acs using active directory database then user will always be in AD and not is acs.
ACS will do the authen lookup from AD.
VPN Client--->VPN Server---->ACS---->AD.
In this set up no need to add user in acs.
Regards,
~JG
Do rate helpful posts
08-07-2008 01:12 PM
Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?
08-07-2008 02:06 PM
Look into the "Unknown User Policy" - ACS checks local database first, then follows the unknown user policy if the user doesn't exist locally.
For example - VPN-John Doe is an account in local ACS database and VPN-Joe Smith is an account in the (external) AD database.
Scenario 1: VPN-John Doe initiates a VPN connection - ACS challenges the user for username/password and looks locally, finds this user in its local database and authenticates or rejects the credentials supplied.
Scenario 2: VPN-Joe Smith initiates a VPN connection - ACS challenges the user for username/password and looks locally, does not find this account in its local database and follows the unknown user policy - if AD is your next defined external database, ACS will query AD for authentication or rejection.
Of course, that is a very simple explanation that leaves out per-user or per-group access restrictions that could differentiate between different users or different groups using NARs, Filters, etc.
HTH.
08-07-2008 02:10 PM
Thank you so much, this is of great help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide