NAC SSO ACS

Answered Question
Oct 23rd, 2009
User Badges:

Hi All,

I know there is AD SSO in NAC. I'd like to have SSO with ACS which is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?

thanks

Alex


Correct Answer by Faisal Sehbai about 7 years 6 months ago

Alex,


In short no - or at least I should say that I don't know of any way to do it. To do SSO with ACS you're looking at logging in to Windows with Radius or TACACS+. This means that the Windows GINA (The Ctrl-Alt-Del piece of code) should be able to talk Radius or TACACS+ with the ACS server.


The only SSOs supported on CCA are AD SSO (where you login to your Windows machine and SSO happens) or Radius SSO (Wireless/VPN sort of setup). The second sort is where you can do accounting on ACS. With an AD authentication, I know of no way for it to be accounted for in ACS.


One thing you could do theoratically is to send an accounting record/packet to your ACS express from the DCs or from the machine itself, but these are far-fetched solutions and would require quite a lot of work/testing etc.


So in short, no :-)


[EDIT] One option which I completely forgot about, and could work for your customer is to configure accounting server in CCA. That way you can log in to AD and still send accounting packets to an accounting server. More information here:


http://www.cisco.com/en/US/partner/docs/security/nac/appliance/configuration_guide/45/cam/m_auth.html#wp1159082


[END_EDIT]


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Mon, 10/19/2009 - 07:57
User Badges:
  • Gold, 750 points or more

Alex,


So you want your Windows users to authenticate to ACS which would in turn authenticate to AD, instead of your Windows users to authenticate to AD directly?


May I ask what the rationale for this is?


Thanks,

Faisal

alex goshtaei Fri, 10/23/2009 - 16:35
User Badges:

thanks for the reply.

literally yes,

the customer wants to control authentication and accounting in ACS Express. also we have two NAS, one is OOB for LAN the other one is IB for wireless and VPN clients.

so is there a way to have SSO with ACS Express and AD?

If not, the customer is not going to be very happy, because they certainly want SSO.

Thanks again

Alex


Correct Answer
Faisal Sehbai Fri, 10/23/2009 - 16:42
User Badges:
  • Gold, 750 points or more

Alex,


In short no - or at least I should say that I don't know of any way to do it. To do SSO with ACS you're looking at logging in to Windows with Radius or TACACS+. This means that the Windows GINA (The Ctrl-Alt-Del piece of code) should be able to talk Radius or TACACS+ with the ACS server.


The only SSOs supported on CCA are AD SSO (where you login to your Windows machine and SSO happens) or Radius SSO (Wireless/VPN sort of setup). The second sort is where you can do accounting on ACS. With an AD authentication, I know of no way for it to be accounted for in ACS.


One thing you could do theoratically is to send an accounting record/packet to your ACS express from the DCs or from the machine itself, but these are far-fetched solutions and would require quite a lot of work/testing etc.


So in short, no :-)


[EDIT] One option which I completely forgot about, and could work for your customer is to configure accounting server in CCA. That way you can log in to AD and still send accounting packets to an accounting server. More information here:


http://www.cisco.com/en/US/partner/docs/security/nac/appliance/configuration_guide/45/cam/m_auth.html#wp1159082


[END_EDIT]


HTH,

Faisal

Actions

This Discussion