You are here
SEC0085 - ACS 5.4 LDAP Integration and Identity Store Sequences
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through steps for LDAP integration on Cisco ACS 5.4. We will connect our ACS to Active Directory LDAP service, and perform Subject and Group search. We will also touch on the function of Identity Store Sequences as a way to perform multiple user authentication database lookup.
Topic:
- LDAP Integration
- LDAP Subject and Group Search
- Identity Store Sequences
6 comments
how do i limit successful authentication to certain groups?
Hi guys! thanks a lot for this videos, i have a question about LDAP or AD groups, i chose to use LDAP groups for authorization, but i am not sure how i can configure ACS to authenticate only certain groups. right now they all authenticate correctly and they will get the deny all command set. i want them not to be able to authenticate.
how do i limit successful authentication to certain groups?
You won't know which AD groups users belong untill they are authenticated so it is not possible to deny user authentication by AD group. What supposes to happen is once they are authenticated, you can fail their exec authorization (ie. deny access) based on the AD group and users won't get pass the login prompt.
thanks and i am sorry to
thanks and i am sorry to bother again but i looked at the autorization part and there is either command sets or shell profile or both but in either i can't find a way to say deny access, there is deny all. can you show me where it is?
i was thinking that you can specify in the identity store the ADs group and who ever doesn't match will be denied access. i think i found how i can choose those groups however i am not sure about the local users(internal users).
Thanks a lot for you help
Deny All is what you want. If
Deny All is what you want. If you only permit the matching AD group and have the default (Bottom) rule set to "Deny", that should do the trick as well instead of denying specific AD groups. For internal user, add users to a User Identity Group and set it as part of the conditions in the authorization rule.
thanks a lot for your help
yes that solves, just to be more clear, it's under the access policies, you'll need to customize it to add shell profile, then edit the default and choose deny access(shell profile).
Thanks a lot for your help and the wonderful videos, i shared with my coworkers and they all like them.
thanks a lot for your help
We are glad to help.. :-)