I have a NAC 4.1 and i m implementing in L2 In-band virtual mode, I also have a ACS Engine 4.2,I m confused,i shld integrate NAC with windows AD or with ACS.If i m integrating NAC with ACS then i have to integrate ACS with windows AD, what is the best procedure when we have both products in place,
This implementation is far from city @ border of country in remote side ,if i got stuck anywhere i will secrewed up badly, please help for the convienient solution so that i can prefer.
It depends on what you are doing with the NAC. Are you doing posture assessment only and only a single role for users after success? Or are you placing users in different roles usinging mappings (such as group or OU), for example, finance goes in finance VLAN and sales in sales VLAN?
If it is the former, then AD SSO is probably the best as it is has less user interaction. If it is the latter, then using ACS may work out better as you have the flexibility to map users based on the attributes returned by ACS, although you lose the SSO capability.
Uptill now i was thinking to create a single role and mapping with AD.
Suppose if i integrate with AD with a single role also i can integrate AD with ACS seperately there will be any issues while login of user??
I know the above is not best practice but i m not comfortable with attributes mapping from external server such as TACACS+ OR RADIUS for user, Can u guide me to simple steps how i can achieve this i have read in the cisco press book any configuration example for attributes mapping for user.
There will be no issue to have both, but know that the AD SSO will take preference to the other logon provider. You will get the agent popping up if the user fails the logon process (for example if they log on using a local workstation account) and they will only have one option, that of the ACS authentication provider.
You should configure another authentication provider other than the AD SSO to allow guests or machines that are not in the AD domain to log in.
Check out the following link to configure ACS for authentication. If you only have one role then you do not need to create mappings as once they are authenticated they will go to the default role that you select.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...