Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS to AD Authentication (w/out adding users to ACS)

We are looking to have our cisco vpn client users authenticate to AD. We don't want to add the users in ACS but still point our ASA > ACS > AD. I.e, we don't want to add a new employee into ACS but still permit him to VPN (ACS)in and auth against AD. I know we can point ASA to IAS directly and bypass ACS.

  • AAA Identity and NAC
4 REPLIES

Re: ACS to AD Authentication (w/out adding users to ACS)

If you have acs using active directory database then user will always be in AD and not is acs.

ACS will do the authen lookup from AD.

VPN Client--->VPN Server---->ACS---->AD.

In this set up no need to add user in acs.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS to AD Authentication (w/out adding users to ACS)

Thank you. How does ACS distinguish between VPN users who can authenticate to AD versus the local ACS database? For example: I want VPN-Joe Smith to authenticate to AD, while I want VPN-John Doe to authenticate to local ACS database?

New Member

Re: ACS to AD Authentication (w/out adding users to ACS)

Look into the "Unknown User Policy" - ACS checks local database first, then follows the unknown user policy if the user doesn't exist locally.

For example - VPN-John Doe is an account in local ACS database and VPN-Joe Smith is an account in the (external) AD database.

Scenario 1: VPN-John Doe initiates a VPN connection - ACS challenges the user for username/password and looks locally, finds this user in its local database and authenticates or rejects the credentials supplied.

Scenario 2: VPN-Joe Smith initiates a VPN connection - ACS challenges the user for username/password and looks locally, does not find this account in its local database and follows the unknown user policy - if AD is your next defined external database, ACS will query AD for authentication or rejection.

Of course, that is a very simple explanation that leaves out per-user or per-group access restrictions that could differentiate between different users or different groups using NARs, Filters, etc.

HTH.

New Member

Re: ACS to AD Authentication (w/out adding users to ACS)

Thank you so much, this is of great help.

146
Views
10
Helpful
4
Replies
This widget could not be displayed.