I have the following situation.
I need to configure two ACS appliances to authenticate remote users that connect via VPN, against an AD server.
In other words, the remote users connect with their VPN clients to an ASA (which then send the request to the ACS and validate the user or not). I have configure the ACS software in Windows to authenticate users locally in the ACS database in the past but now I need assistance integrating the ACS with the AD database. Could someone give me some hints on this one or a very nice link that I can follow? Thank you all!
The problem with the ACS appliance (the Cisco 1113 right?) is that it is effectively a locked down Windows server with ACS installed on it. To authenticate users to a domain, you need to have the authenticating server (i.e. the ACS) as part of your AD domain. The problem is that because the ACS is locked down, you can't do that.
So, Cisco have this thing called the ACS Remote Agent. Basically, you install this on a Windows server that is part of your domain, and then point your ACS to use that server as the Remote Agent.
See the following link:
Note that you need to install the same Remote Agent version on your server as the ACS version.
Also, you can do things such as restricting logons to your VPN to users that are part of a specific AD group by using mappings in the ACS to map an ACS group to an AD group, and that way you can apply Network Access Restrictions on that ACS group.
If you are using ACS appliance , then we need to install remote agent on member server or on domain controller. Remote agent works a middle man that facilitates communication between acs appliance on AD.
We don't need this for acs windows.
Please see this link, we need to configure certain permission for the remote agent service/acs win service, so that it can query DC.
Do rate helpful posts
Just another question...
In case I don't have the ACS Software Migration CD... can I download the Remote Agent from cisco.com?
yes, You can download Remote Agent from CCO but pay attention to download exact same version of Remote Agent as ACS version.
You can download the RA and ACS SE patches from CCO, but I don't think you can download the Full Version of ACS Remote Agent.
You'll be required to open a TAC case in order to have it posted.
Note: A software contract would be also required.
No, you can download the full version of the ACS Remote Agent. You just need to scroll lower below all the patch versions to see the original full version. You install the relevant full version first, then apply the relevant patch to align the ACS version and the ACS RA version.
My mistake! goulin is totally right... the full version of the RA is available in the same link where the patches are available.
You can also do this without the RA if you configure Secure LDAP on the SE. This is the direction we are going so we are NOT dependent on Windows servers.