CiscoSecure ACS 3.3 and MS Active Directory ?

We just got and installed CiscoSecure ACS 3.3 on a domain controller for our MS active directory domain.
ACS seems to work with AD in the sense that it uses the usernames and passwords contained in AD for users. However I noticed it does not seem to popluate ACS with the users, instead you have to go in to ACS and add each user with the username from AD, and then just tell it to use the windows database for password authentication.
Is this correct or am I missing something in my setup that is preventing users from being populated in ACS?
Also, can you not use AD groups for ACS permissions? For example one of the things we are doing is defining certain groups for access to routers, switches and firewall commands. I have been able to do this manually in ACS by defining a group and setting the permissions as well as the command authorization set. However it does not seem very practical to have to go in manually to ACS to add a user to an ACS group. I thought since ACS works with active directory it would also use AD groups. So we could assign a user to a group in AD and it would then utilize the defined ACS permissions for that group.

I think you are a victim of the AD Aware as opposed to AD Integrated. CiscoSecure is AD Aware, it can use the AD database for Password authentication (a very simple implementation of single sign-on). But the local database is used for everything else. From my point of view this is a good thing.
If the AD Admin, Network Admin and Security officer are all the same person, then I agree with you.
From your message you seem to be using ACS to secure your Cisco devices (routers/switches), I would not want people who manage AD to be able to give network device access to anyone they choose. Nore do I trust AD admins to understand network security. Normally the network people are very small subset of IT organization, so this should not be a big problem. Also, the real component that you are using to secure the devices is TACACS+ (hopefully) or RADIUS because the devices are not AD Aware themselves.
If you need for every user that is in AD to be a user in ACS, there is import/export support for both for inital setup, after that it is up to you to keep the databases synchronized. You can do this with routine import/exports, but I advise against it.
If you are using ACS to manage a Dial or IPSec environment, I agree this is a pain, but do you really want everyone to be able to dial-in or VPN into your network without coming to you for access? Don't you want to be able to disable/expire peoples access for devices and remote access without calling the AD admin?
For the kind of things you want, you need an AD Integrated product like Exchange or you can try some of the vendors at listed at http://www.microsoft.com/windows2000/partners/adall.asp
FYI - This is my understanding of the product, I'm sure there are a lot of people out there that know more then me, so feel free to correct me.

Similar Messages

  • Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

    How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • ACS 5.1 with Windows Active Directory

    Hi All,
    I installed ACS 5.1 in vmware server successfully. I have problem while intergrating cisco acs with microsoft Windows 2008 active directory. I already verfied all the related parameters like Domain name, user rights to join in AD, DNS name resolve and IP-Address.
    But, I can able to add any system into my domain without any issues and this is not happening in Cisco ACS 5.1 version.While testing the Active Directory - Test connection it prompts with error message " Can not resolve network address".
    Please help me from this issue.
    Regards
    Mani

    Hi
    Have you setup the correct DNS servers and domain name in the ACS and also do you have an entry in the DNS for the ACS server?
    Dave

  • Integration of sap R/3 (4.7) and Microsoft active directory (2003)

    Hi All,
    I would like to know integration of sap R/3 (4.7) and Microsoft active directory (2003) and also SAP EP and Microsoft active directory. I have been working as a ep consultant with a local bank. I am new for this integration work, So please kindly provide me the steps for integrating these both directories.
    Pls help me with this issue.
    Thanks in advance,
    Regards,
    Raghav.

    Hi,
    First You should read:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
    Regards,
    Jarek

  • SCCM report to show last logged on user and the Active Directory department attribute of that user.

    I need to create an SCCM report to show last logged on user on all machines and the Active Directory department attribute of that last logged on user.

    You problem is here.
    right
    join v_R_User USR on USR.ResourceID
    = CS.ResourceID
    USR.ResourceID != CS.ResourceID, you need to map the username to the user logon to the PC. By using the user’s department information you will
    end up with unreliable results.
    Anyways you need to make these changes to your query.
    left
    join v_R_User USR on USR.Unique_User_Name0
    = CS.UserName0
    http://www.enhansoft.com/

  • User base Synchronization between SAP and MS Active Directory Server

    Dear all!
    I'm using Web AS 6.20 ABAP and MS Active Directory Server based on Win 2003 Server.
    i successfully implemented the synchronization of user data between SAP and the ADS.
    My question: Is there a way to customize the users on Active Directory Server in regard to their SAP authorization (roles auth. objects etc.)?
    Currently I don't have a clue how to do this.
    Regards,
    Christoph

    Have you searched on SDN for "Active Directory"? That turns up a number of results. I think your expectation might be backwards though, it's not how ADS exposes SAP specific data but how SAP uses ADS to store SAP specific data. My understanding (from quite some time ago so I am fuzzy on this) is that SAP can use ADS in much the same way it can use LDAP as an external user store.
    The Security Newsletter from November 04 [https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sap security newsletter november 2004.pdf] mentions that a webinar is hosted on SDN about this exact topic, unfortunately I was unable to find a direct link.
    Regards,
    Marc g

  • OID and MS Active Directory  LDAP information Synchronization

    Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?

    Hi, I have the same question.
    Thanks,
    Malin

  • Integration Of Cisco ACS and MS Active Directory !!!

    Hi all,
    We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
    Thanks for your help
    Regards!!!
    Rafael Turriago

    Hi,
    If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
    The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
    The Remote Agent is the application responsible to exchange data with the DCs.
    You can find detailed information in the config guide:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco ACS 4.2 integration with Active Directory

    Hello,
    I´m new in the administration of ACS, we have recently implemented on server ACS version 4.2
    for manager all users authorization for our Network.
    We are in one environement which have an Active Directory, group and users.
    Now, i´m just able to creat a new user in ACS and work with on the Client SWITCH, what i need to do, is to integrate my ACS 4.2 with Active Directory.
    for work with the user and Group that a register in my AD.
    Someon can help me please?

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • ACS 4.1, PIX 515, Active Directory

    I have a Windows environment with a PIX 515E firewall. We have site-to-site VPNs as well as VPN clients.
    I have just installed ACS 4.1 and would like to configure it to do vpn client authentication againt Active Directory.
    Can someone please post a link to a doc which describes this? I have been looking all day!
    Thanks in advance,
    Paul

    Thanks for the response. I actually figured this out since I posted the question yesterday. However, now I have a new question. I already have a client VPN set up on the PIX (6.3, btw) and I don't want to affect the current setup. I found how to exclude xauth from site-to-site VPNs, but is there any way that you can exclude current vpngroups from xauth?
    thanks,
    Paul

  • I have windows server 2012 R2 and install active directory

    My question is I install active directory in windows server 2012 R2 and create Group Policy. ( These set-up is only for test)
    Have not registered domain only install active directory to test. 
    So the problem is when I created Group policy for my user and put software restriction policy but its affected to my administrator accounts too, No when I open VMware (install Virtual Machine windows XP) and start os then its shows you can not user this
    software as you restricted from installing software (Something like that don't know exact Error). I could not start installed Virtual Machine. 
    Please give me a solution for this.
    This is the setup for a test use only so their not big environment connect with my pc.
    Thanks in advance.
    Regards,
    Krunal

    Hi,
    The following article is talking about creating and managing Group Policy on a Windows Server 2012:
    http://www.thomas-krenn.com/en/wiki/Creating_and_managing_a_Group_Policy_on_a_Windows_2012_Server
    As Darren Blanchard mentioned, if you want to apply the GPO, you could link it to an OU that contain the computer or user.
    Group Policy Overview
    http://technet.microsoft.com/en-us/library/hh831791.aspx
    Please feel free to let us know if you need further assistance.
    Regards.
    Vivian Wang

  • Cisco ISE 1.2 and 2 Active Directory Domains

    Hi Support,
    does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?
    We have two forests with a trust link between them.
    We have a seperate PKI in each domain.
    I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.
    I take it that I would need local certs from each CA in the local certificate store of the ISE?
    We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.
    Thanks
    Mario

    Mario,
    This is possible.  Here are the guidelines for the Multi-Forest support in ISE 1.2:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1350874
    You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1349174
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Oracle context and MS Active Directory

    Hello,
    I have one pc with Windows Server 2003 and Oracle 10g r2
    When I add a user from my Active Directory in the External OS Users of the Oracle Managed Object (via mmc), I get this error:
    ORA-30041: Cannot grant quota on the tablespace
    And when I try to connect with this user (Active Directory user) to isqlplus, I get another error:
    ORA-28030: Server encountered problems accessing LDAP directory servic
    Someone know how to resolve these errors ?
    Server's Configs
    Active directory name: cyclops.home.com
    Host name: server.cyclops.home.com
    My database name in the Oracle context object of my Active directory: oracle_db
    My Oracle context: “CN=OracleContext,DC=home,DC=com"
    #Ldap.ora
    DEFAULT_ADMIN_CONTEXT = "DC=cyclops,DC=home,DC=com"
    DIRECTORY_SERVER_TYPE = AD
    #Listener.ora
    SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
    (SID_NAME = PLSExtProc)
    (ORACLE_HOME = C:\oracle\product\10.2.0\db_1)
    (PROGRAM = extproc)
    LISTENER =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = server.cyclops.home.com)(PORT = 1521))
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    #Sqlnet.ora
    SQLNET.AUTHENTICATION_SERVICES= (NTS)
    NAMES.DIRECTORY_PATH= (LDAP)
    #Tnsnames.ora
    PROJET =
         (DESCRIPTION =
              (ADDRESS = (PROTOCOL = TCP)(HOST = server.cyclops.home.com)(PORT = 1521))
              (CONNECT_DATA =
                   (SERVER = DEDICATED)
                   (SERVICE_NAME = oracle_db)
    EXTPROC_CONNECTION_DATA =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    (CONNECT_DATA =
    (SID = PLSExtProc)
    (PRESENTATION = RO)

    When I use this cmd ldapbind -h cyclops.home.com that works.
    If I log to isqlplus with the system user and do select username from all_users; I can see my Active Directory user.
    I also changed the LDAP_DIRECTORY_ACCESS parameter to PASSWORD (default was SSL) but that changed nothing.
    Maybe the problem is from the Oracle wallet, I did one when I have created the database but I don't know well about it and the use. I think I should have something in my sqlnet.ora file related to the wallet but I don't know how to set.
    I search on internet, some homepages said I should use Oracle Net Manager to set the wallet location but I found nothing in Oracle Net manager for it.

  • Import and Export Active Directory users

    Hello,
    I want to export my Active Directory users and import them to different domain.
    I try to use ldifde without any success.
    Do anyone have any idea??
    Thanks,
    Lior

    I would suggest the Active Directory Migration tool.  
    http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
    D/L link: http://www.microsoft.com/en-us/download/details.aspx?id=8377
    If you have 2012, it will be a little more complicated.

  • Oracle Discoverer 10G and mapping Active Directory to use SSO/OID

    Could anybody point me please to the right direction?
    1. I've setup Oracle 10gIAS but turned off SSO and my users running discoverer /portals with no SSO.
    2. My goal is to turn on SSO and synchronize it with Active directory on the windows box.
    Thanks you in advance

    Hi Randy;
    As you mention all notes refer to SSO&OID for Active Directory integration.AFAIK there is no way to do it, please log a Sr and confirm this wiht oracle support
    Regard
    Helios

Maybe you are looking for

  • Living in a Widows World

    I am using a G4 Mirror Door. I put two QuickTime movies, One video and the other a slide show on my web page. It works fine on my computer, but some students cannot get it to work on their PC. Could someone look a d listen to my QuickTime on a PC and

  • How Oracle forms server 6i run on web?(Configuration)

    hi all, I want to run oracle forms on web. For that, I installed forms server 6i. I installed forms developer 6i. which web server i have to install? What are the configuration required for that both (Web Server and Forms Server)? can u give me sugge

  • Red Tinted Skin On Final DVD Burn

    I quite often get a skin tone that is way too red after burning a digital photo slideshow to iMovie HD. Does anyone else have this problem? If so, what are possible solutions. I use a Nikon D200 and should not have this problem. It does not occur whe

  • When iam restoring the database getting error

    hi , when iam restoring the database getting following error : SELECT schemaname FROM syscat.schemata WHERE schemaname='SAPTOOLS' SQL1328N An implicit connection attempt failed. The database alias name or database name "TPD" was not found in the loca

  • Firefox 16 causes my menus to display incorrectly on my websites. Menus built with AllWebMenus software.

    Dropdown menus (called from mouseovers) are shifted to the left in FireFox16 only. They are no longer aligned with the call box and not under the cursor. Firefox 15, Microsoft IE, and Google chrome all work correctly. Everything works except Firefox