This document provides a sample configuration to integrate Microsoft Active Directory with Cisco Secure Access Control System (ACS) 5.x and later. ACS uses Microsoft Active Directory (AD) as an external identity store to store resources such as users, machines, groups, and attributes. ACS authenticates these resources against AD.
Ensure that you meet these requirements before you attempt this configuration:
Windows Active Directory Domain to be used needs to be fully configured and operational.
Use Microsoft Windows Server 2003 Domain, Microsoft Windows Server 2008 Domain or Microsoft Windows Server 2008 R2 Domain as these are supported by ACS 5.x.
Note: Integration of Microsoft Windows Server 2008 R2 Domain with ACS is supported from ACS 5.2 and later.
The information in this document is based on these software and hardware versions:
Cisco Secure ACS 5.3
Microsoft Windows Server 2003 Domain
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Windows Active Directory provides many features that are used in the daily network usage. The integration of ACS 5.x with AD allows the use of the existing AD users, machines and their group mapping.
ACS 5.x integrated with AD provides these features:
Machine Authentication
Attribute Retrieval for Authorization
Certificate Retrieval for EAP-TLS Authentication
User and Machine Account Restriction
Machine Access Restrictions
Dial-in Permissions Check
Callback Options for Dial-in users
Dial-in Support Attributes
Before you integrate ACS 5.x to the AD, ensure that the TimeZone, Date & Time on the ACS matches with that on the AD primary domain controller. Also, define the DNS server on the ACS in order to be able to resolve the domain name from the ACS 5.x. Complete these steps in order to configure ACS 5.x Application Deployment Engine (ADE-OS):
SSH to the ACS appliance and enter the CLI credentials.
Issue the clock timezone command in config mode as shown in order to configure the TIMEZONE on the ACS in order to match with that on the domain controller.
clock timezone Asia/Kolkata
Note: Asia/Kolkata is the timezone used in this document. You can find your specific timezone by exec mode show timezones command.
In case your AD domain controller is synchronized with an NTP server that resides in your network, it is highly recommended to use the same NTP server on the ACS. If you do not have NTP server, then skip to step 4. These are the steps to configure NTP server:
NTP server can be configured with the ntp server <ip address of the NTP server> command in config mode as shown.
ntp server 192.168.26.55 The NTP server was modified. If this action resulted in a clock modification, you must restart ACS.
Refer to ACS 5.x: Cisco ACS Synchronization with NTP Server Configuration Example for more information on NTP configuration.
In order to configure date and time manually use the clock set command in exec mode. An example is shown here:
clock set Jun 8 10:36:00 2012 Clock was modified. You must restart ACS. Do you want to restart ACS now? (yes/no) yes Stopping ACS. Stopping Management and View...................... Stopping Runtime...... Stopping Database.... Cleanup..... Starting ACS .... To verify that ACS processes are running, use the 'show application status acs' command.
Now verify the Timezone, Date and Time with the show clock command. The output of show clock command is shown here:
acs51/admin# show clock Fri Jun 8 10:36:05 IST 2012
Configure DNS on ACS with the <ip name-server <ip address of the DNS> command in config mode as shown here:
ip name-server 192.168.26.55
Note: The DNS IP address is provided by your Windows domain administrator.
Issue the nslookup <domain name> command in order to verify the domain name reachability as shown.
acs51/admin#nslookup MCS55.com Trying "MCS55.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60485 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;MCS55.com. IN ANY ;; ANSWER SECTION: MCS55.com. 600 IN A 192.168.26.55 MCS55.com. 3600 IN NS admin-zq2ttn9ux.MCS55.com. MCS55.com. 3600 IN SOA admin-zq2ttn9ux.MCS55.com. hostmaster.MCS55.com. 635 900 600 86400 3600 ;; ADDITIONAL SECTION: admin-zq2ttn9ux.MCS55.com. 3600 IN A 192.168.26.55 Received 136 bytes from 192.168.26.55#53 in 0 ms
Note: If the ANSWER SECTION is empty, then contact your windows domain administrator to find out the correct DNS server for the domain.
Issue the ip domain-name <domain name> command in order to configure DOMAIN-NAME on the ACS as shown here:
ip domain-name MCS55.com
Issue the hostname <hostname> command in order to configure HOSTNAME on the ACS as shown here:
hostname acs51
Note: Due to NETBIOS limitations, ACS hostnames must contain less than or equal to 15 characters.
Issue the Write memory command in order to save the configuration to ACS.
Complete these steps in order to join ACS5.x to AD:
Choose Users and Identity Stores > External Identity Stores > Active Directory and provide the Domain Name, AD account (Username) and its Password and click on Test Connection.
Note: AD account required for domain access in ACS should have either of these:
Add workstations to domain user right in corresponding domain.
Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is created before joining ACS machine to the domain.
Note: Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS does not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
Note: The Windows AD account, which joins ACS to the AD domain, can be placed in its own Organizational Unit (OU). It resides in its own OU either when the account is created or later on with a restriction that the appliance name must match the name of the AD account.
This screen shot shows that the test connection to the AD is successful. Then click OK.
Note: Centrify configuration gets affected and sometimes gets disconnected when there is a slow response from the server while you test the ACS connection with the AD domain. However, it works fine with the other applications.
Click Save Changes for the ACS to join AD.
Once the ACS has successfully joined the AD Domain, it shows in the connectivity status.
Note: When you configure an AD identity store, ACS also creates:
A new dictionary for that store with two attributes: ExternalGroups and another attribute for any attribute retrieved from the Directory Attributes page.
A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this attribute.
A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups and another custom condition for each attribute selected in the Directory Attributes page, for example, AD1:cn.
Complete these steps in order to complete the Access Service configuration so that ACS can use the newly configured AD Integration.
Choose the service from where you would like the users to be authenticated from AD and click on Identity. Now click Select next to the Identity Source field.
Choose AD1 and click OK.
Click Save Changes.
In order to verify AD authentication, send an authentication request from a NAS with AD credentials. Ensure that the NAS is configured on the ACS and the request would be processed by the Access Service configured in the previous section.
After successful authentication from NAS log into the ACS GUI and choose Monitoring and Reports > AAA Protocol > TACACS+Authentication. Identify the passed authentication from the list and click on the magnifying glass symbol as shown.
You can verify from the steps that ACS has sent Authentication request to AD.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
19-Jun-2012 |
Initial Release |