Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS tacacs+ via generic ldap to AD

Hi

I configured ACS to use generic ldap access to active directory via radius. That was very, very easy.

How can I configure the same through tacacs+ ??? Is it possible to use generic ldap to AD over tacacs+???

Tnax for help

bb

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS tacacs+ via generic ldap to AD

In that case, try and configure a Generic LDAP External User Database, as you probably did already:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

and configure the Unknown User Policy Option to check in this database.

As long as you don't use NAPs tacacs should work.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

6 REPLIES

Re: ACS tacacs+ via generic ldap to AD

I don't quite understand the question, but you can use either radius or tacacs+ to query the ACS, which can be configured to use generic LDAP to query any back end LDAP compatible directory. You can use the ACS to integrate multiple different back end directory servers, and let network devices use radius OR tacacs+ to query the ACS.

New Member

Re: ACS tacacs+ via generic ldap to AD

@ mattiaseriksson

In detail I configured ACS AAA clients to use radius. Then I created a generic ldap connection to MS active directory and mapped this connection in "Network Access Profile" with the Radius (IETF).

But if I configure AAA client with tacacs I could not create a "Network Access Profile" because acs says me that only radius is supported.

I used the following Link to configure:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a0080721dab.html

You can see in "Figure 4-8 Network Access Profiles Page" under "Protocol types" there are just radius supported... ??? Why not tacacs???

That's why I configured the AAA Client with radius and not with tacacs. But if I like to configure "Shell Command Authorization Sets" then I have to use it with tacacs...

So I'm very confused with the ACS 4.1 Server. This is not really userfriendly to configure.

My question after all these things.

How do I configure acs with tacacs to use generic ldap to verify users from active directory???

Thanx for any help

bb

Re: ACS tacacs+ via generic ldap to AD

Ok, so your question should really be: "How do I configure ACS to use Tacacs+ with Network Access Profiles?"

The answer is you can't because Tacacs+ is not yet supported with NAP:s.

The only thing you can do is to use "Grant access using global configuration, when no profile matches".

But that will probably not work with Agentless Host Support, if that is what you are trying to do.

New Member

Re: ACS tacacs+ via generic ldap to AD

Hi

At this point I'm just interested to how to configure acs with tacacs to use generic ldap to verify users from active directory?

This is just the thing I will do...

Thanx for help

bb

Re: ACS tacacs+ via generic ldap to AD

In that case, try and configure a Generic LDAP External User Database, as you probably did already:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

and configure the Unknown User Policy Option to check in this database.

As long as you don't use NAPs tacacs should work.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

New Member

Re: ACS tacacs+ via generic ldap to AD

Many thanx it helps me al lot :-)

818
Views
0
Helpful
6
Replies
CreatePlease login to create content