Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS and Microsoft AD

I wanted to know if Cisco ACS in any way extends the Microsoft Active Directory schema. I'm thinking not but co-workers want some sort of comfirmation. It's simply an authentication request that either gets accepted or rejected right?

Thanks for the input!

Sincerely,

Andrew Hanson

6 REPLIES
Silver

Re: ACS and Microsoft AD

Cisco ACS server will work with AD. You should not have any problem with this setup.

New Member

Re: ACS and Microsoft AD

Yes you are right, ACS doesn´t extend MS AD in anyway. It only use AD to authenticate users, but ACS doesn´t have to do with MS AD for other reasons.

This apply for both ACS Appliance and ACS over MS Windows.

New Member

Re: ACS and Microsoft AD

Thanks all for the clarification!

Green

Re: ACS and Microsoft AD

ACS doesn't extend AD per se, but ACS does permit other options and functional extension .

For example, with AD, your auth options are PEAP and EAP-TLS.

With ACS, you get PEAP and EAP-TLS, but you also get LEAP and EAP-FAST ... which you may need for fast secure roaming.

There are others for both (common to both, i.e., MAC filtering) but I believe these would be the most common and desirable.

ACS also provides TACACS+, which can be handy for pushing parameters down to the client, applying scopes and other non-RADIUS functionality.

FWIW

Scott

New Member

Re: ACS and Microsoft AD

Thanks for the post Scott. However, AD isn't a RADIUS solution like ACS (or IAS) right? What you're really talking about is EAP methods that are supported, not neccessarily schema modifications within AD? So ACS does not NEED to create AD objects that are populated with attributes/properties that are integral to the EAP authentication method. I think thats right but please let me know if its not.

Cheers!

Drew

Green

Re: ACS and Microsoft AD

You are correct.

The combination of AD and IAS can provide some compatible auth methods.

ACS, either stand-alone or using the AD as an auth source can provide pretty much all of the available methods.

ACS doesn't need anything from the AD aside from the username / password for a MS-CHAP-v2 (usually inside an EAP system) and / or possibly MAC, maybe certificate info (the cert would usually go into the ACS software, even if it's running on the AD or the CA ...).

Basically, ACS hands the username/password to the AD, asks" Is this one of yours?", .... if the AD responds affirmatively, then ACS / RADIUS sends the "OK to pass" and opens up the connection.

Being that AD is LDAP-based, it's likely that you can, if you want, add other attributes to pass along to ACS, but it's not necessary.

Good Luck

Scott

327
Views
4
Helpful
6
Replies
CreatePlease login to create content