NAC 4.1 with ACS

Unanswered Question
May 21st, 2010

Hello dears,

I have a NAC 4.1 and i m implementing in L2 In-band virtual mode, I also have a ACS Engine 4.2,I m confused,i shld integrate NAC with windows AD or with ACS.If i m integrating NAC with ACS then i have to integrate ACS with windows AD, what is the best procedure when we have both products in place,

This implementation is far from city @ border of  country in remote side ,if i got stuck anywhere i will secrewed up badly, please help for the convienient solution so that i can prefer.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sganpat Fri, 05/21/2010 - 16:27

It depends on what you are doing with the NAC. Are you doing posture assessment only and only a single role for users after success? Or are you placing users in different roles usinging mappings (such as group or OU), for example, finance goes in finance VLAN and sales in sales VLAN?

If it is the former, then AD SSO is probably the best as it is has less user interaction. If it is the latter, then using ACS may work out better as you have the flexibility to map users based on the attributes returned by ACS, although you lose the SSO capability.

estelamathew Sat, 05/22/2010 - 00:15

Hello Dear,

Thanks for ur reply,

Uptill now i was thinking to create a single role and mapping with AD.

Suppose if i integrate with AD with a single role also i can integrate AD with ACS seperately there will be any issues while login of user??

I know the above is not best practice but i m not comfortable with attributes mapping from external server such as TACACS+ OR RADIUS for user, Can u guide me to simple steps how i can achieve this i have read  in the cisco press book any configuration example for attributes mapping for user.

sganpat Sat, 05/22/2010 - 20:21

There will be no issue to have both, but know that the AD SSO will take preference to the other logon provider. You will get the agent popping up if the user fails the logon process (for example if they log on using a local workstation account) and they will only have one option, that of the ACS authentication provider.

You should configure another authentication provider other than the AD SSO to allow guests or machines that are not in the AD domain to log in.

Check out the following link to configure ACS for authentication. If you only have one role then you do not need to create mappings as once they are authenticated they will go to the default role that you select.


This Discussion