ACS to AD Authentication (w/out adding users to ACS)

danieldiaz · ‎08-07-2008

We are looking to have our cisco vpn client users authenticate to AD. We don't want to add the users in ACS but still point our ASA > ACS > AD. I.e, we don't want to add a new employee into ACS but still permit him to VPN (ACS)in and auth against AD. I know we can point ASA to IAS directly and bypass ACS.

Jagdeep Gambhir · ‎08-07-2008

If you have acs using active directory database then user will always be in AD and not is acs.

ACS will do the authen lookup from AD.

VPN Client--->VPN Server---->ACS---->AD.

In this set up no need to add user in acs.

Regards,

~JG

Do rate helpful posts

danieldiaz · ‎08-07-2008

Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?

charrellc011699 · ‎08-07-2008

Look into the "Unknown User Policy" - ACS checks local database first, then follows the unknown user policy if the user doesn't exist locally.

For example - VPN-John Doe is an account in local ACS database and VPN-Joe Smith is an account in the (external) AD database.

Scenario 1: VPN-John Doe initiates a VPN connection - ACS challenges the user for username/password and looks locally, finds this user in its local database and authenticates or rejects the credentials supplied.

Scenario 2: VPN-Joe Smith initiates a VPN connection - ACS challenges the user for username/password and looks locally, does not find this account in its local database and follows the unknown user policy - if AD is your next defined external database, ACS will query AD for authentication or rejection.

Of course, that is a very simple explanation that leaves out per-user or per-group access restrictions that could differentiate between different users or different groups using NARs, Filters, etc.

HTH.

danieldiaz · ‎08-07-2008

Thank you so much, this is of great help.