Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
3
Replies

NAC 4.1 with ACS

estelamathew
Level 2
Level 2

‎05-21-2010 07:09 AM - edited ‎02-21-2020 10:24 AM

Hello dears,

I have a NAC 4.1 and i m implementing in L2 In-band virtual mode, I also have a ACS Engine 4.2,I m confused,i shld integrate NAC with windows AD or with ACS.If i m integrating NAC with ACS then i have to integrate ACS with windows AD, what is the best procedure when we have both products in place,

This implementation is far from city @ border of  country in remote side ,if i got stuck anywhere i will secrewed up badly, please help for the convienient solution so that i can prefer.

Thanks,

Labels:
0 Helpful
3 Replies 3

sganpat
Level 1
Level 1

‎05-21-2010 04:27 PM

It depends on what you are doing with the NAC. Are you doing posture assessment only and only a single role for users after success? Or are you placing users in different roles usinging mappings (such as group or OU), for example, finance goes in finance VLAN and sales in sales VLAN?

If it is the former, then AD SSO is probably the best as it is has less user interaction. If it is the latter, then using ACS may work out better as you have the flexibility to map users based on the attributes returned by ACS, although you lose the SSO capability.

0 Helpful

estelamathew
Level 2
Level 2
In response to sganpat

‎05-22-2010 12:15 AM

Hello Dear,

Thanks for ur reply,

Uptill now i was thinking to create a single role and mapping with AD.

Suppose if i integrate with AD with a single role also i can integrate AD with ACS seperately there will be any issues while login of user??

I know the above is not best practice but i m not comfortable with attributes mapping from external server such as TACACS+ OR RADIUS for user, Can u guide me to simple steps how i can achieve this i have read  in the cisco press book any configuration example for attributes mapping for user.

0 Helpful

sganpat
Level 1
Level 1
In response to estelamathew

‎05-22-2010 08:21 PM

There will be no issue to have both, but know that the AD SSO will take preference to the other logon provider. You will get the agent popping up if the user fails the logon process (for example if they log on using a local workstation account) and they will only have one option, that of the ACS authentication provider.

You should configure another authentication provider other than the AD SSO to allow guests or machines that are not in the AD domain to log in.

Check out the following link to configure ACS for authentication. If you only have one role then you do not need to create mappings as once they are authenticated they will go to the default role that you select.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

0 Helpful
Customers Also Viewed These Support Documents