View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0085 - ACS 5.4 LDAP Integration and Identity Store Sequences

SEC0085 - ACS 5.4 LDAP Integration and Identity Store Sequences

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
2
Lab Document: 
<Please login to see the content>
Category: 
Security
The video walks you through steps for LDAP integration on Cisco ACS 5.4. We will connect our ACS to Active Directory LDAP service, and perform Subject and Group search. We will also touch on the function of Identity Store Sequences as a way to perform multiple user authentication database lookup.
 
Topic:
  • LDAP Integration
  • LDAP Subject and Group Search
  • Identity Store Sequences
Tag: 
acs
ldap

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

6 comments

Submitted by mohdz on Fri, 12/27/2013 - 11:39

Hi guys! thanks a lot for this videos, i have a question about LDAP or AD groups, i chose to use LDAP groups for authorization, but i am not sure how i can configure ACS to authenticate only certain groups. right now they all authenticate correctly and they will get the deny all command set. i want them not to be able to authenticate.

Submitted by admin on Fri, 12/27/2013 - 19:36

You won't know which AD groups users belong untill they are authenticated so it is not possible to deny user authentication by AD group. What supposes to happen is once they are authenticated, you can fail their exec authorization (ie. deny access) based on the AD group and users won't get pass the login prompt. 

Submitted by mohdz on Fri, 12/27/2013 - 20:24

thanks and i am sorry to bother again but i looked at the autorization part and there is either command sets or shell profile or both but in either i can't find a way to say deny access, there is deny all. can you show me where it is?
i was thinking that you can specify in the identity store the ADs group and who ever doesn't match will be denied access. i think i found how i can choose those groups however i am not sure about the local users(internal users).

Thanks a lot for you help

Submitted by admin on Mon, 12/30/2013 - 07:55

Deny All is what you want. If you only permit the matching AD group and have the default (Bottom) rule set to "Deny", that should do the trick as well instead of denying specific AD groups. For internal user, add users to a User Identity Group and set it as part of the conditions in the authorization rule.

Submitted by mohdz on Tue, 12/31/2013 - 07:55

yes that solves, just to be more clear, it's under the access policies, you'll need to customize it to add shell profile, then edit the default and choose deny access(shell profile).
Thanks a lot for your help and the wonderful videos, i shared with my coworkers and they all like them.

Submitted by admin on Tue, 12/31/2013 - 17:23

We are glad to help.. :-)