Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
3
Replies

NAC SSO ACS

Go to solution
alex goshtaei
Level 1
Level 1

‎10-19-2009 07:57 AM - edited ‎02-21-2020 10:24 AM

Hi All,

I know there is AD SSO in NAC. I'd like to have SSO with ACS which is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?

thanks

Alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to alex goshtaei

‎10-23-2009 04:42 PM

Alex,

In short no - or at least I should say that I don't know of any way to do it. To do SSO with ACS you're looking at logging in to Windows with Radius or TACACS+. This means that the Windows GINA (The Ctrl-Alt-Del piece of code) should be able to talk Radius or TACACS+ with the ACS server.

The only SSOs supported on CCA are AD SSO (where you login to your Windows machine and SSO happens) or Radius SSO (Wireless/VPN sort of setup). The second sort is where you can do accounting on ACS. With an AD authentication, I know of no way for it to be accounted for in ACS.

One thing you could do theoratically is to send an accounting record/packet to your ACS express from the DCs or from the machine itself, but these are far-fetched solutions and would require quite a lot of work/testing etc.

So in short, no :-)

[EDIT] One option which I completely forgot about, and could work for your customer is to configure accounting server in CCA. That way you can log in to AD and still send accounting packets to an accounting server. More information here:

http://www.cisco.com/en/US/partner/docs/security/nac/appliance/configuration_guide/45/cam/m_auth.html#wp1159082

[END_EDIT]

HTH,

Faisal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Faisal Sehbai
Level 7
Level 7

‎10-19-2009 07:57 AM

Alex,

So you want your Windows users to authenticate to ACS which would in turn authenticate to AD, instead of your Windows users to authenticate to AD directly?

May I ask what the rationale for this is?

Thanks,

Faisal

0 Helpful

Go to solution
alex goshtaei
Level 1
Level 1
In response to Faisal Sehbai

‎10-23-2009 04:35 PM

thanks for the reply.

literally yes,

the customer wants to control authentication and accounting in ACS Express. also we have two NAS, one is OOB for LAN the other one is IB for wireless and VPN clients.

so is there a way to have SSO with ACS Express and AD?

If not, the customer is not going to be very happy, because they certainly want SSO.

Thanks again

Alex

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to alex goshtaei

‎10-23-2009 04:42 PM

Alex,

In short no - or at least I should say that I don't know of any way to do it. To do SSO with ACS you're looking at logging in to Windows with Radius or TACACS+. This means that the Windows GINA (The Ctrl-Alt-Del piece of code) should be able to talk Radius or TACACS+ with the ACS server.

The only SSOs supported on CCA are AD SSO (where you login to your Windows machine and SSO happens) or Radius SSO (Wireless/VPN sort of setup). The second sort is where you can do accounting on ACS. With an AD authentication, I know of no way for it to be accounted for in ACS.

One thing you could do theoratically is to send an accounting record/packet to your ACS express from the DCs or from the machine itself, but these are far-fetched solutions and would require quite a lot of work/testing etc.

So in short, no :-)

[EDIT] One option which I completely forgot about, and could work for your customer is to configure accounting server in CCA. That way you can log in to AD and still send accounting packets to an accounting server. More information here:

http://www.cisco.com/en/US/partner/docs/security/nac/appliance/configuration_guide/45/cam/m_auth.html#wp1159082

[END_EDIT]

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents