12-09-2009 09:05 AM - edited 03-10-2019 04:50 PM
All,
I designing an FCAPS solution for my client and I have a few questions about authentication via interal DB vs external DB.
Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailable?
If I configure ACS for external authentication via Windows AD, can my devices (AAA client) still use TACACS+? From what I read in the users guide to communication between Windows AD and ACS is RADIUS but I'm not sure if that means the communication between ACS and the devices has to be RADIUS as well.
Please advise.
Stephanie
12-09-2009 08:25 PM
Hi,
When an authentication request comes to the ACS, first the ACS Internal Database is checked and if the user is not found in the Internal Database then the request is forwarded to the ACS "Unknown User Policy" and if you have configured your Active Directory to work with the ACS, the request would be sent to it.
If you are using the ACS 3.x/4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html
You can configure the devices to use Radius/tacacs even if the User is authenticated through the Active Directory.
The ACS communicates to the Active Directory in the following manner:
When ACS authenticates to Windows it uses standard API calls to send the username/password
to the local member server that ACS is installed on. That member server then forwards the
authentication request to the local domain controller. The local domain controller checks
it's local SAM database and if the user does not exist there, it forwards requests to all
trusted domains until it gets a success
To check the different Databases supported, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636
Regards,
Kush
12-10-2009 07:21 AM
Kush,
Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailble?
Can ACS send and event/trap when an unknown user is discovered?
Stephanie
12-10-2009 08:59 AM
"Internal database lookup" can be configured first only when your network devices are authenticating using Radius Protocol. This is possible using an ACS feature called Network Access Profiles.
I would not considered at the Internal Database as a fallback of AD, ACS keeps track of the existing AD users because the ACS or Remote Agent (Installed on a Windows AD Member Server) is part of the AD Domain.
The ACS creates a dynamic entry for each user, but still looks up the User's Password against the AD database.
Back to your original question, ACS does not talk to AD (Installed on a Windows AD Member Server) using Radius and your Network Devices can be configured to talk Radius or Tacacs to ACS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: