Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
4
Helpful
6
Replies

ACS and Microsoft AD

Andrew.Hanson
Level 1
Level 1

‎03-15-2006 01:43 PM - edited ‎07-04-2021 11:47 AM

I wanted to know if Cisco ACS in any way extends the Microsoft Active Directory schema. I'm thinking not but co-workers want some sort of comfirmation. It's simply an authentication request that either gets accepted or rejected right?

Thanks for the input!

Sincerely,

Andrew Hanson

Labels:
0 Helpful
6 Replies 6

b.hsu
Level 5
Level 5

‎03-21-2006 02:46 PM

Cisco ACS server will work with AD. You should not have any problem with this setup.

0 Helpful

fbellom
Level 1
Level 1

‎03-22-2006 08:49 PM

Yes you are right, ACS doesn´t extend MS AD in anyway. It only use AD to authenticate users, but ACS doesn´t have to do with MS AD for other reasons.

This apply for both ACS Appliance and ACS over MS Windows.

Andrew.Hanson
Level 1
Level 1
In response to fbellom

‎03-23-2006 08:22 AM

Thanks all for the clarification!

0 Helpful

scottmac
Level 10
Level 10

‎03-23-2006 01:38 PM

ACS doesn't extend AD per se, but ACS does permit other options and functional extension .

For example, with AD, your auth options are PEAP and EAP-TLS.

With ACS, you get PEAP and EAP-TLS, but you also get LEAP and EAP-FAST ... which you may need for fast secure roaming.

There are others for both (common to both, i.e., MAC filtering) but I believe these would be the most common and desirable.

ACS also provides TACACS+, which can be handy for pushing parameters down to the client, applying scopes and other non-RADIUS functionality.

FWIW

Scott

0 Helpful

Andrew.Hanson
Level 1
Level 1
In response to scottmac

‎03-23-2006 04:01 PM

Thanks for the post Scott. However, AD isn't a RADIUS solution like ACS (or IAS) right? What you're really talking about is EAP methods that are supported, not neccessarily schema modifications within AD? So ACS does not NEED to create AD objects that are populated with attributes/properties that are integral to the EAP authentication method. I think thats right but please let me know if its not.

Cheers!

Drew

0 Helpful

scottmac
Level 10
Level 10
In response to Andrew.Hanson

‎03-24-2006 10:58 AM

You are correct.

The combination of AD and IAS can provide some compatible auth methods.

ACS, either stand-alone or using the AD as an auth source can provide pretty much all of the available methods.

ACS doesn't need anything from the AD aside from the username / password for a MS-CHAP-v2 (usually inside an EAP system) and / or possibly MAC, maybe certificate info (the cert would usually go into the ACS software, even if it's running on the AD or the CA ...).

Basically, ACS hands the username/password to the AD, asks" Is this one of yours?", .... if the AD responds affirmatively, then ACS / RADIUS sends the "OK to pass" and opens up the connection.

Being that AD is LDAP-based, it's likely that you can, if you want, add other attributes to pass along to ACS, but it's not necessary.

Good Luck

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card