Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
5
Helpful
1
Replies

ASA/ACS/AD - SafeWord authentication and AD Group mappings

dunken_swe
Level 1
Level 1

‎10-14-2006 02:59 AM - edited ‎03-10-2019 02:47 PM

Hi. I?m doing a theoretical pre study about about ASA/ACS/AD integration.

From what I can find in the documentation of Cisco ACS it is possible to map Active Directory user groups to ACS groups and thereby give user different authority in the network (Correct?).

The thing is that we have to use SafeWord PremierAccess for token authentication and I can?t figure out from the documentation if it is possible to authenticate with SafeWord and then do the authorization from Active Directory user groups?

Today things look like this:

User who access the network remotely thru a VPN connection are today authenticated by a SafeWord PremierAccess how asks the RADIUS database for user credentials. These are then returned to the ASA 55XX who lets the user access the network.

What I want to accomplice is this:

User who access the network remotely through a VPN connection should be authenticated by a SafeWord PremierAccess server (in the same way as before) but Authorization should be taken from a Active Directory where the user is assigned to ordinary users groups. These user groups should have a corresponding ACS group assigned to them whit access restrictions.

For example:

If a user that has a group membership in the AD called e.g. CrappyCorp and that this group has a corresponding ACS group that restricts user the access only to CrappyCorps V-lan.

Is it possible to configure ACS to use the SafeWord PremierAccess server as an authentication database and then use Active Directory for group mappings?

If it is possible, how could it be solved?

Thankful for any help or inputs on this

Best regards.

// Dunken

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎10-16-2006 12:14 PM

No, ACS doesnt allow you to authenticate from one external db and authorise from a different one.

Would be nice... but not supported.

Darran

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents