Setting up ACS 5.3

steve switzer · ‎04-30-2012

Hi All

I have just been tasked with setting up the ACS 5.3 and am having

a few problems getting things started.

Here is a question from my server team -

ACS specifies an account to join the machine to the domain. Will this account then be the account that it communicates to AD on once it has joined the domain or is there somewhere we need to put AD credentials for LDAP lookup? Our AD administrator is happy to join it the domain but does not want ACS then running under his account”

In other words we dont want to use an admin account but surely

we only need an ordinary account that reads ad for authentication ?

Can anyone clear this one up ?

Steve

Tarik Admani · ‎05-02-2012

Here are the account guidelines for joining ACS to AD, Once ACS joins to AD it will authenticate users through the workstation account that is created when its joined. The only time the ACS needs the credentials of the account is when the box joins to AD.

Username

Predefined user in AD. AD account required for domain access in ACS should have either of the following:

•Add workstations to domain user right in corresponding domain.

•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).

We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.

www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1140906

Thanks,

Tarik Admani

steve switzer · ‎05-02-2012

Thanks Tarik