Cisco Support Community

ACS Integration with Microsoft Active Directory Services



Steps to Integarate ACS with Microsoft Active Directory:


1)Choose Users and Identity Stores > External Identity Stores > Active Directory.


2)Now enter the local domain name ( and a valid AD administrator account username and password, and the ACS will connect to the domain. This allows you to use existing AD credentials to login and administer your network devices.


Although tying the ACS to AD takes only one screen and less than a minute, you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence by going to Users and Identity Stores > Identity Store Sequences to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts. 


Authentication Process:

The Authentication process happen as mentioned below:


1)User tries to SSH/telnet/console to device.

2)The Device contacts ACS using TACACS or RADIUS.

3)User receives login prompt and enters the AD credentials.

4)Devices sends the credentials to ACS.

5)ACS validates the credentials in AD.

6)ACS sends the authentication OK message to the Device.

7)Device logs the user in.


Command Authorization:

The Command Authorization process happens as mentioned below:


1)User enters a command.

2)Device sends command authorization request to ACS.

3)ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group.

4)Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device.

5)Device allows or denies the user command.


If ACS is for windows it can be either installed on member server or domain controller. For detailed info about the post installation tasks needed to have full integration, please refer the URL below:


If ACS is solution engine then you need special piece of software called remote agent to be installed either on member server or domain controller , also check the following link for more details on how to integrate it with AD:



Problem:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.

          Device ---> ACS ---> AD


Solution:   Configure the Device to look at ACS first, then a local table if ACS is  not available.  Also, configure the ACS to look at AD first, then a  local ACS account list if AD is not available.  (You can configure local  user accounts on the Device and in the ACS) 

          Device ---> ACS ---> AD

          Device ---> ACS ---> AD ---> ACS local

          Device ---> ACS ---> AD ---> ACS local ---> Device local