Most probably this question has been asked earlier but I couldnt find any during my research in this forum.
For now, I setup all our networking devices to use tacacs+ for authentication and it works ok. What I want to accomplish is, I want to restrict the user privileges based on which AD group the user belongs to. I think I need to setup our existing AD as an LDAP server on Cisco ACS.
Like if the user belongs to an ordinaru Domain Users group he wont get authorized to access that network device but if he/she belongs to CiscoAdmins group in our active directory structure then they will have granted access.
If anyone has any config examples (not just guides) on ways of doing this I would really appreciate if they can share those with me. I really do not have time to go through many pages of Cisco ACS Admin guide.
With the limited time you do have... read the docs on external authentication & group mapping.
Set the unknown user policy to authenticate against Windows. Then on the group mappings sub-config map between the desired AD groups and ACS groups. Noting that this is a prioritised list (can screw you up if users are members of multiple AD groups unless you are careful). The last entry in the list can be mapped to so that not every tom, dick or harry can get in.
No need to manually add users to ACS and each authenticated user will be dynamically assigned an ACS group based on AD membership.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...