Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA/ACS/AD - SafeWord authentication and AD Group mappings

Hi. I?m doing a theoretical pre study about about ASA/ACS/AD integration.

From what I can find in the documentation of Cisco ACS it is possible to map Active Directory user groups to ACS groups and thereby give user different authority in the network (Correct?).

The thing is that we have to use SafeWord PremierAccess for token authentication and I can?t figure out from the documentation if it is possible to authenticate with SafeWord and then do the authorization from Active Directory user groups?

Today things look like this:

User who access the network remotely thru a VPN connection are today authenticated by a SafeWord PremierAccess how asks the RADIUS database for user credentials. These are then returned to the ASA 55XX who lets the user access the network.

What I want to accomplice is this:

User who access the network remotely through a VPN connection should be authenticated by a SafeWord PremierAccess server (in the same way as before) but Authorization should be taken from a Active Directory where the user is assigned to ordinary users groups. These user groups should have a corresponding ACS group assigned to them whit access restrictions.

For example:

If a user that has a group membership in the AD called e.g. CrappyCorp and that this group has a corresponding ACS group that restricts user the access only to CrappyCorps V-lan.

Is it possible to configure ACS to use the SafeWord PremierAccess server as an authentication database and then use Active Directory for group mappings?

If it is possible, how could it be solved?

Thankful for any help or inputs on this

Best regards.

// Dunken

  • AAA Identity and NAC

Re: ASA/ACS/AD - SafeWord authentication and AD Group mappings

No, ACS doesnt allow you to authenticate from one external db and authorise from a different one.

Would be nice... but not supported.