Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS with AD and network management only

I purchased an ACS server and am running 5.x.  I have setup the initial config so have access to the server.

I thought this would allow me to manage authentication to all my cisco equipment with my AD account.  I would rather not build individual accounts on the ACS and woudl rather tie it to Active Directory so we can quickly delete access at the AD level rather than AD then ACS.

So I created an AD account and username.  On the ACS server I went to external stores and Active Directory. When I try to enter the domain, uname, and pw I get an error that I am trying to add a device to AD.  I really just wanted to be able to do more like an LDAP query so the ACS knew of AD accounts.

Any help or links to setup would be apprecited,
JD

2 REPLIES

Re: ACS with AD and network management only

Joseph,

Is this an ACS appliance?

If the ACS is running version 4.x on a windows server, then it can be member of the domain, but if it's an appliance I believe that it will not let you interact directly with AD (you can download an agent that communicates the appliance with the AD).

Even with an appliance or with ACS running on windows, there's no need to create the user database on the ACS appliance if you still use the AD for user database. The difference is in how the appliance or the windows server interact with AD.

Federico.

New Member

Re: ACS with AD and network management only

He is running 5.x as stated in his question. And 5.x only comes as appliance (hw or vmware).

Here is the doc for 5.x

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/acsuserguide.html

Basically 5.x uses LDAP (SMB) to communicate with the domain. You need to specify a user with read access to the OU's which you want to search in when doing authentication. This user also needs to have permission to add computers to the domain as it will add the ACS server to the domain. (Yes, even though it is not windows).

After that you can use specify ldap groups in your policies to check group membership to allow user access. It's pretty straight forward actually!

295
Views
0
Helpful
2
Replies
CreatePlease to create content