03-15-2006 01:43 PM - edited 07-04-2021 11:47 AM
I wanted to know if Cisco ACS in any way extends the Microsoft Active Directory schema. I'm thinking not but co-workers want some sort of comfirmation. It's simply an authentication request that either gets accepted or rejected right?
Thanks for the input!
Sincerely,
Andrew Hanson
03-21-2006 02:46 PM
Cisco ACS server will work with AD. You should not have any problem with this setup.
03-22-2006 08:49 PM
Yes you are right, ACS doesn´t extend MS AD in anyway. It only use AD to authenticate users, but ACS doesn´t have to do with MS AD for other reasons.
This apply for both ACS Appliance and ACS over MS Windows.
03-23-2006 08:22 AM
Thanks all for the clarification!
03-23-2006 01:38 PM
ACS doesn't extend AD per se, but ACS does permit other options and functional extension .
For example, with AD, your auth options are PEAP and EAP-TLS.
With ACS, you get PEAP and EAP-TLS, but you also get LEAP and EAP-FAST ... which you may need for fast secure roaming.
There are others for both (common to both, i.e., MAC filtering) but I believe these would be the most common and desirable.
ACS also provides TACACS+, which can be handy for pushing parameters down to the client, applying scopes and other non-RADIUS functionality.
FWIW
Scott
03-23-2006 04:01 PM
Thanks for the post Scott. However, AD isn't a RADIUS solution like ACS (or IAS) right? What you're really talking about is EAP methods that are supported, not neccessarily schema modifications within AD? So ACS does not NEED to create AD objects that are populated with attributes/properties that are integral to the EAP authentication method. I think thats right but please let me know if its not.
Cheers!
Drew
03-24-2006 10:58 AM
You are correct.
The combination of AD and IAS can provide some compatible auth methods.
ACS, either stand-alone or using the AD as an auth source can provide pretty much all of the available methods.
ACS doesn't need anything from the AD aside from the username / password for a MS-CHAP-v2 (usually inside an EAP system) and / or possibly MAC, maybe certificate info (the cert would usually go into the ACS software, even if it's running on the AD or the CA ...).
Basically, ACS hands the username/password to the AD, asks" Is this one of yours?", .... if the AD responds affirmatively, then ACS / RADIUS sends the "OK to pass" and opens up the connection.
Being that AD is LDAP-based, it's likely that you can, if you want, add other attributes to pass along to ACS, but it's not necessary.
Good Luck
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: