ACS Integration with Microsoft Active Directory Services

Hello Everyone,
I've been tasked to design the integration of ACS with MS AD. What I want to know is the below assuming I have a software ACS or a ACS device and the protocol for authentication is Radius
- What is the criteria for the AD to integrate with ACS software of appliance
- Should that AD be hosted on the domain controller or not?
- If not, on what (Domain Controller, Tree, Forest, Branch, Flower, Fruit  ) should the AD be hosted on?
- What will I have to do to authenticate users logging into Cisco Security Manager with ACS integrated with AD?
- Are there any other dependencies that I will have to categorically mention in my design document?
Thanks,
Rishi

In ACS v5.x, there is a screen for integrating the ACS with AD. 
     (Users and Identity Stores > External Identity Stores > Active Directory)
Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain.  This allows you to use existing AD credentials to login and administer your network devices. 
Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts.  The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices. 
The authentication would occur like this:
User SSH/telnet/console to device
Device contacts ACS using TACACS or RADIUS
User receives login prompt and enters AD credentials
Devices sends credentials to ACS
ACS validates credentials in AD
ACS sends authentication OK message to Device
Device logs user in.
Command Authorization looks something like this:
User enters a command
Device sends command authorization request to ACS
ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
Device allows or denies the user command.
Criteria:  We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.
AD is hosted on our local domain controller (Bonus:  no planting of flowers required!)
Dependencies: 
Issue:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.
          Device ---> ACS ---> AD
Solution:  Configure the Device to look at ACS first, then a local table if ACS is not available.  Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available.  (You can configure local user accounts on the Device and in the ACS) 
          Device ---> ACS ---> AD
          Device ---> ACS ---> AD ---> ACS local
          Device ---> ACS ---> AD ---> ACS local ---> Device local
The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy.  It is far FAR superior to the old ACS v3.3 that we had for years.
I hope this helps for your design document!
--Chris

Similar Messages

  • Portal Integration with Microsoft Active Directory

    We are working on a project to integrate Oracle9iAS Portal with Microsoft Active Directory. I am wondering if anyone has any experience with this and hence suggestions. Particularly, I'm wondering if its possible and how to use Active Directory to manage the Portal user accounts and group relationships?

    Please note that we finally got this working. For Active Directories sake, I would suggest using userPrincipalName or sAMAccountName as the Unique Attribute. Also, note that Active Directory uses OUs for organization, not CNs, so the search base should be either just the DN of the domain or an OU in the domain. Also, be sure to specify the full DN of the Bind DN as in CN=Administrator,CN=Users,DN=domain,DN=com

  • ODI Integration With Microsoft Active Directory to bring User id to Table

    Hi All,
    I have to bring the USER Id of  Employees from the Microsoft Active Directory based on the Mai id of the user.
    I have a table like below:
    User_name
    Mail_id
    Vishwas
    [email protected]
    John
    [email protected]
    Depak
    [email protected]
    I need to bring the User id of that employees from Active Directory and load it to another table
    Now the Issues is What are the Things i have to perform in ODI to do this:
    I have gone through some of the Blogs for the same but every where i found using ODI for External Authentication.
    Can i get the User Ids in a relational tables so that i can join it with above table and load it to target ?
    Please let me know if any body have the solution for it
    Thanks
    Regards

    I think you can user ldap driver to read entries from your ldap server. Please check the documentation at LDAP Directories - 11g Release 1 (11.1.1)

  • OracleApps HRMS-R12.1.3 Integration with MS Active Directory (win 2008 R2)

    Dear Friends,
    we are using Oracle Apps R12.1.3 and the Microsoft Active Directory : Windows 2008 R2
    we have the following requirement:
    (1)From Oracle Apps to Active Directory.
    -Employee master information needs to be interfaced to Active Directory on a regular interval which should be updated in the active directory.
    (2)From Active Directory to Oracle system.
    -Whenever new email address for an employee is created in Active directory, the information needs to flow to Oracle HRMS.
    Please let us know the method to achieve with minimal latest oracle softwares?
    can it be done over coding from oracle apps without new softwares?
    Is Oracle Apps R12.1.3 certified with Windows 2008 R2 Active Directory?
    Regards,
    DB

    user564706 wrote:
    Dear Friends,
    we are using Oracle Apps R12.1.3 and the Microsoft Active Directory : Windows 2008 R2
    we have the following requirement:
    (1)From Oracle Apps to Active Directory.
    -Employee master information needs to be interfaced to Active Directory on a regular interval which should be updated in the active directory.
    (2)From Active Directory to Oracle system.
    -Whenever new email address for an employee is created in Active directory, the information needs to flow to Oracle HRMS.
    Please let us know the method to achieve with minimal latest oracle softwares?
    can it be done over coding from oracle apps without new softwares?
    Is Oracle Apps R12.1.3 certified with Windows 2008 R2 Active Directory?
    Regards,
    DBPlease update your original thread(s) instead of creating new one(s) -- Integrate Oracle Apps R12 with Microsoft Active Directory
    Thanks,
    Hussein

  • Integrate Oracle Apps R12 with Microsoft Active Directory

    Dear Friends,
    I am using Oracle Apps R12.1.3 and alsoo we have Microsoft Activity Directory.
    we need to integrate both so that any employee cretaed in Oracle Apps HRMS will be replicated in Microsoft Directory.
    Please let us know the oracle 10g and 11g products we have to use to achieve this.
    Please let us know both 10g and 11g products and is 10g products covered in Oracle support?
    Regards,
    DB

    Please see these docs/links.
    Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [ID 376811.1]
    Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite [ID 876539.1]
    Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1 and Single Sign-On [ID 1370938.1]
    External Authentication To Active Directory Integration With E-Business Suite [ID 429020.1]
    Re: Integrating Active directory  with oracle EBS 12.1.3 with 11g R2 database
    Re: Oracle EBS with SSO
    Re: Need to integrate AD with R12.1.3 with the most simplest architecture.
    Re: EBS R12,how to use OID implement SSO without OAM/OID(with 3rd product)?
    Thanks,
    Hussein

  • Changes in Microsoft Active Directory Services into a file

    I am in need of sample code to capture changes in Active Directory services into a flat file.
    Here is my requirement:
    I would like to capture user information changes from the Active directory server into a flat file.
    For an example, When a user is newly created in Actives Directory Server, I need to Capture that user info and write into a flat file. Similarly for update and delete user in Activer Directory server, i need to capture the changes and write into a file.
    Would appreciate, if any could help me on this
    Thanks in advance
    Thanks
    Kumar

    Refer to:
    JNDI, Active Directory & Persistent Searches (part 1) http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
    There was another topic that I posted called JNDI, Active Directory and Persistent Searches (part 2) in which I described teh LDAPNotification Control.
    It had the following URL http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 however it seems as though I have suffered another case of the forum losing my posts.

  • SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

    Hi,
    we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
    When we setup the Portal, we used the UME of the ECC - ABAP.
    The portal is used internally only.
    Now we want to provide SSO.
    User authenticate against Windows Active Directory (Windows 2003).
    We thought SSO via spnego would be the best solution.
    Any better alternates, we should use?
    We are following the SAP documentation:
    SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
    We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
    When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
    In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
    What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
    Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
    In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
    Thanks for your help.
    Best regards
    Carlos Behlau

    Hi,
    I was able to generate the key via ktab program.
    But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
    I installed WebDiag tool on the portal server and ran trace.
    The users are located in domain: company.com of activate directory.
    The Java AS are located in domain: sap.company.com of activate directory.
    The sap.company.com domain acts as child of company.com.
    When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
    I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
    Is it possible to get SSO with child domain running?
    Based on the statement of the network folks, child and father domain having a trust.
    Thanks for your help.
    Best regards
    Carlos

  • HTML DB with Microsoft Active Directory access

    HTML DB Authentication works fine, but autherization gives the following error. We hope someone has similar experience in this forum. The following error we got after we added password to the is_member function. If use NULL for password it always gives No autherization to page error.
    Error Message : ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid
    credentials. 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext
    error, data 525, vece
    Exception encountered .. exiting

    Thanks Scott, We got answers from your earlier discussion on following threads.. We are posting the points in your discussion again and it may help others..
    LDAP Setup - How ?
    Let's focus on authentication first. I assume you have a login page in the app. Create a new authentication scheme based on the LDAP model (follow the wizard.) Edit the scheme, changing the authentication function from -LDAP- to: return function_name;, giving the name of a function in your schema which does the ldap authentication. This function must have the signature(p_username in varchar2, p_password in varchar2) return boolean. Null out any other ldap-related fields in this new authentication scheme and make sure it points to the login page in your app for the Invalid Session Page attribute. Save changes and then make this the current scheme. Your login page is already set up to call the HTML DB login API and because your authentication scheme specifies an authentication function, that's what it will use to check credentials when the login page which captured username and password is submitted. If the credentials check out, the login API will redirect to the page specified in the login pages login process' p_flow_page argument, e.g., p_flow_page=>&APP_ID.:1, for page 1. Change this page ID as required.
    Authorization schemes are simpler. They will probably be of type PL/SQL function returning boolean which will use the current value of :APP_USER to consult the LDAP directory for specific information. After creating the schemes, you can attach them to whatever components you need to, e.g., regions, buttons, processes.
    function userInGroup(p_username in varchar2,p_group in varchar2)
    return boolean
    as
    l_retval PLS_INTEGER := -1;
    l_session DBMS_LDAP.session;
    l_attrs DBMS_LDAP.string_collection;
    l_message DBMS_LDAP.message;
    l_entry DBMS_LDAP.message;
    l_attr_name VARCHAR2(256);
    l_ber_element DBMS_LDAP.ber_element;
    l_vals DBMS_LDAP.string_collection;
    l_found boolean := false;
    begin
    DBMS_LDAP.use_exception := false;
    --connect to LDAP and authenticate
    l_session := DBMS_LDAP.init(hostname => g_host,
    portnum => g_port);
    l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
    dn => g_ldap_user,
    passwd => g_ldap_pwd);
    --Get Group Membership
    l_attrs(1) := 'memberOf';
    l_retval := DBMS_LDAP.search_s(ld => l_session,
    base => g_ldap_user_base,
    scope => DBMS_LDAP.SCOPE_SUBTREE,
    filter => 'cn='||p_username||'*',
    attrs => l_attrs,
    attronly => 0,
    res => l_message);
    IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
    -- Get all the entries returned by our search.
    l_entry := DBMS_LDAP.first_entry(ld => l_session,
    msg => l_message);
    l_attr_name := DBMS_LDAP.first_attribute(ld => l_session,
    ldapentry => l_entry,
    ber_elem => l_ber_element);
    l_vals := DBMS_LDAP.get_values (ld => l_session,
    ldapentry => l_entry,
    attr => l_attr_name);
    << values_loop >>
    FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
    if l_vals(i) like '%'||p_group||'%' then
    l_found := true;
    exit; --exit if found
    end if;
    END LOOP values_loop;
    END IF;
    --must unbind from LDAP
    l_retval := DBMS_LDAP.unbind_s(ld => l_session);
    if l_found then
    return true;
    else
    return false;
    end if;
    exception
    when others then
    l_retval := DBMS_LDAP.unbind_s(ld => l_session);
    return false;
    end userInGroup;

  • E-Business suite r12 login through Microsoft Active Directory

    I integrated E-business suite release 12.1 with SSO and OID and i want to integrate OID with Microsoft Active Directory. how is this possible?

    804050 wrote:
    I integrated E-business suite release 12.1 with SSO and OID and i want to integrate OID with Microsoft Active Directory. how is this possible?Yes, it is possible. The basic idea is EBS 12.1 will use OID, which will be configured to use third party external authentication, like Microsoft AD.
    Please see this document:
    Oracle® Identity Management Integration Guide
    10g (10.1.4.0.1)
    Part Number B15995-01
    Chap 19 Integrating with Microsoft Active Directory
    HTH
    AMN

  • Does Sun Messaging Server support Microsoft Active Directory

    Hello,
    I just got this qustion. Does Sun Messaging Server work with Microsoft Active Directory?
    Thanks.

    Please post in the messaging server forum: [http://forums.sun.com/forum.jspa?forumID=708|http://forums.sun.com/forum.jspa?forumID=708]

  • Storage Integration with Active Directory Services Part 2

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Having your storage device join Active Directory Services can be relatively straightforward.  What do do if the JOIN button fails?  This demo goes through a basic checklist from network to server. Demo covers integration between the NSS2000/3000/4000/6000 platform and Microsoft ADS Server 2003.
    Part 1 - Network Overview
    Part 2 - NSS Configuration
    Part 3 - Connecting a share
    Part 4 - Server 2003 Administration
    Note: Some artistic license was used to make the test environment more easy to illustrate but the principles are the same in a live network.

    Hi Angus,
    Policy Server does not require a specific LDAP schema. During configuration you simply map the LDAP attributes of your schema to the ones that Policy Server supports (e.g., common name, email address, etc).
    If you are configuring Policy Server to use an LDAP, it will use the LDAP to authenticate the user (Policy Server does not store the password itself in this case).
    If passwords are stored outside of the LDAP (e.g., in a database), it is possible to write a custom authentication provider to authenticate against this source.
    Hope this helps,
    -Bill

  • Storage Integration with Active Directory Services Part 4

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Having your storage device join Active Directory Services can be relatively straightforward.  What do do if the JOIN button fails?  This demo goes through a basic checklist from network to server. Demo covers integration between the NSS2000/3000/4000/6000 platform and Microsoft ADS Server 2003.
    Part 1 - Network Overview
    Part 2 - NSS Configuration
    Part 3 - Connecting a share
    Part 4 - Server 2003 Administration
    Note: Some artistic license was used to make the test environment more easy to illustrate but the principles are the same in a live network.

    Hi Angus,
    Policy Server does not require a specific LDAP schema. During configuration you simply map the LDAP attributes of your schema to the ones that Policy Server supports (e.g., common name, email address, etc).
    If you are configuring Policy Server to use an LDAP, it will use the LDAP to authenticate the user (Policy Server does not store the password itself in this case).
    If passwords are stored outside of the LDAP (e.g., in a database), it is possible to write a custom authentication provider to authenticate against this source.
    Hope this helps,
    -Bill

  • Can Microsoft active directory integrated with Oracle Applications

    Hi,
    Can anyone provide me any document on Microsoft Active Directory Integration with Oracle Applications(12.0.6)
    Manish

    Hi,
    It is possible, please refer to the following documents for details.
    Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
    Note: 415007.1 - Oracle Application Server with Oracle E-Business Suite Release 12 FAQ
    Regards,
    Hussein

  • Integration of sap R/3 (4.7) and Microsoft active directory (2003)

    Hi All,
    I would like to know integration of sap R/3 (4.7) and Microsoft active directory (2003) and also SAP EP and Microsoft active directory. I have been working as a ep consultant with a local bank. I am new for this integration work, So please kindly provide me the steps for integrating these both directories.
    Pls help me with this issue.
    Thanks in advance,
    Regards,
    Raghav.

    Hi,
    First You should read:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
    Regards,
    Jarek

  • Problem with Oracle external procedures and Microsoft Active Directory

    Hi,
    Our server was recently updated to use Microsoft Active Directory. However, we noticed that all external procedure calls keeps on failing with ORA-28575: unable to open RPC connection external procedure agent. Everything was working fine before we migrated to Active Directory which is why we can say that the listener is configured correctly.
    Any idea on how we can make extproc calls with Active Directory?
    thanks.

    Michael,
    Oracle Forms does support Single Sign-On (SSO). Take a look at Oracle Containers for J2EE Security Guide: OC4J Java Single Sing-On. Also take a look at the Oracle Forms 10g Sample Code and scroll to the SSO demo under the Forms Services Demo section. There are also, numerous other documents available via Google. ;-)
    Craig B-)
    If someone's response is helpful or correct, please mark it accordingly.

Maybe you are looking for