View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0084 - ACS 5.4 AD Integration and Identity Store Sequences

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video walks you through steps for AD integration on Cisco ACS 5.4. We will join the ACS to an AD domain and download AD user groups, which we will use as part of authorization policies in our future labs. We will also touch on the function of Identity Store Sequences as a way to perform multiple user authentication database lookup.
Topic:
  • Active Directory Integration
  • Active Directory User Group Selection
  • Identity Store Sequences

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

14 comments

hi,
I really appreciate the work you have done, it's nice and all video are nice easy to understand. but i have a problem when implement my own server, i joined AD on the server but at access policies>Access services>Identity cannot see any AD on Identity souce. i followed all your ateps.
Is there any problem on my server? please help me

Can you double check the AD status and make sure it is connected? Also on the Domain Controller, make sure the ACS server shows up as a domain computer under User and Computer. If you don't get both of these, disconnect and try to reconnect ACS to AD.

Thanks for your answer,
I found the resolution yesterday, It was my browser whitch was IE 10.x not 6, 7, 8, 9 as prerequisites

Thank you for update. Good to know IE 10 causes issue.

Hi,
Is there any possibility to add multiple AD on ACS 5.4 ? or Multiple domain so that we can use multiple ID store.

Unless those domains are setup to trust each other, you will not be able to access user database in both domains simultaneously since ACS can be integrated with only one domain. If that is the case for you, you might want to look into accessing additional domain via LDAP.

Hello Metha,
You are just a wonderful Trainer. I am a student and please can you give me some discount so that i can purchase some of your acs videos. I will also like to know if the resolution of the videos are good for offline viewing in case I have to download them later on thank you.

Hi, We are currently offering 15% discount when you purchase the ACS 5.x video bundle. Please see the link below. All videos were recorded in 1440x900 which would be equivalent or better when you view it on Youtube at 720p.

http://www.labminutes.com/store/cisco-acs-5x-video-bundle

Hi Metha...could you explain how to set the Idendity and Authorization without the AD, as I am using only local user created on the ACS.

You can continue to use Identity Store Sequence and only define Local user under there or use the local userdiretly under the authentication policy

I have Configured NTP to sync with AD , DNS , Domain wihtin ACS . Using User with necessary right to connect with AD . When test everything success . But within few seconds it shows as "Joined but Disconnected"

Cisco ACS VERSION INFORMATION - This is NEW VM and Patches up to date
---------------------------------------------------------------------------------------------------------
Version : 5.7.0.15.1
Internal Build ID : B.257
Patches :
5-7-0-15-1

We have never run into this issue, although we have not tested version 5.7. Usually once ACS is joined to domain, it stays connected unless it loses connectivity to AD or time gets out of sync. Not sure if anything is logged on AD neither. May need to check with Cisco on this to see if it is a bug.

Please help me regarding the steps to follow in order to pull users from a domain which is not directly mapped to ACS but has a two-way trust with the domain which is directly mapped. I'd like to know the policies to be configured too. Appreciate your help.

If you already have the other domain in a two-way trust, you should be able to search the group/user as normal. If you don't see them, the chances are the trust is incorrect.