Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 191

    Page 191 6 Managing Users and Identity Stores Managing External Identity Stores Dial-In Support Attributes The user attributes on Active Directory are supported on the following servers: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 ACS does not support Dial-in users on Windows 2000. ACS Response If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access' on Active... 
    6   
Managing Users and Identity Stores
Managing External Identity Stores
Dial-In Support Attributes
The user attributes on Active Directory are supported on the following servers:
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
ACS does not support Dial-in users on Windows 2000.
ACS Response
If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access' on Active...

    Page 192

    Page 192 6 Managing Users and Identity Stores Managing External Identity Stores Joining ACS to an AD Domain In ACS 5.7, you can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store. For information on how to configure an AD identity store, see Configuring an AD Identity Store, page 62. Note: The Windows AD account, which joins ACS to the AD... 
    6
Managing Users and Identity Stores
 
Managing External Identity Stores
Joining ACS to an AD Domain
In ACS 5.7, you can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to 
a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store. 
For information on how to configure an AD identity store, see Configuring an AD Identity Store, page 62. 
Note: The Windows AD account, which joins ACS to the AD...

    Page 193

    Page 193 6 Managing Users and Identity Stores Managing External Identity Stores 3.Click: Save Changes to save the configuration. Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify the following: —There are no policy rules that use custom conditions based on the AD dictionary. —The AD is not chosen as the identity source in any of the available access services. —There are no identity store sequences with the AD. The... 
    6   
Managing Users and Identity Stores
Managing External Identity Stores
3.Click:
Save Changes to save the configuration.
Discard Changes to discard all changes.
If AD is already configured and you want to delete it, click Clear Configuration after you verify the following: 
—There are no policy rules that use custom conditions based on the AD dictionary.
—The AD is not chosen as the identity source in any of the available access services.
—There are no identity store sequences with the AD.
The...

    Page 194

    Page 194 6 Managing Users and Identity Stores Managing External Identity Stores 2.Select a single node or multiple nodes and click Join/Test Connection. The Join/Test Connection page appears. 3.Complete the fields in the Join/Test Connection page as described in Table 51 on page 64. 4.Click: Join to join the selected nodes to the AD domain. The status of the nodes are changed according to the join results. Test Connection to test the connection to ensure that the entered credentials are correct and the AD... 
    6
Managing Users and Identity Stores
 
Managing External Identity Stores
2.Select a single node or multiple nodes and click Join/Test Connection.
The Join/Test Connection page appears.
3.Complete the fields in the Join/Test Connection page as described in Table 51 on page 64.
4.Click:
Join to join the selected nodes to the AD domain. The status of the nodes are changed according to the join results. 
Test Connection to test the connection to ensure that the entered credentials are correct and the AD...

    Page 195

    Page 195 6 Managing Users and Identity Stores Managing External Identity Stores 4.Click: Leave to disconnect the selected nodes from AD domain. Cancel to cancel the operation. Note: Administrators can perform operations like join, leave, or test connection from the secondary server. When you perform these operations from the secondary server, it affects only the secondary server. Related Topics Selecting an AD Group, page 65 Configuring AD Attributes, page 66 Configuring Machine Access Restrictions,... 
    6   
Managing Users and Identity Stores
Managing External Identity Stores
4.Click:
Leave to disconnect the selected nodes from AD domain. 
Cancel to cancel the operation. 
Note: Administrators can perform operations like join, leave, or test connection from the secondary server. When you perform 
these operations from the secondary server, it affects only the secondary server. 
Related Topics
Selecting an AD Group, page 65
Configuring AD Attributes, page 66
Configuring Machine Access Restrictions,...

    Page 196

    Page 196 6 Managing Users and Identity Stores Managing External Identity Stores If you have more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow down your search results. You can also add a new AD group using the Add button. Note: ACS 5.7 does not retrieve domain local groups. It is not recommended to use domain local groups in ACS policies. The reason is that the membership evaluation in domain local groups can be time consuming. So, by default, the... 
    6
Managing Users and Identity Stores
 
Managing External Identity Stores
If you have more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow 
down your search results. You can also add a new AD group using the Add button.
Note: ACS 5.7 does not retrieve domain local groups. It is not recommended to use domain local groups in ACS policies. 
The reason is that the membership evaluation in domain local groups can be time consuming. So, by default, the...

    Page 197

    Page 197 6 Managing Users and Identity Stores Managing External Identity Stores Table 53 Active Directory: Attributes Page Option Description Name of example Subject to Select AttributesEnter the name of a user or computer found on the joined domain. You can enter the user’s or the computer’s CN or distinguished name. The set of attributes that are displayed belong to the subject that you specify. The set of attributes are different for a user and a computer. Select Click to access the Attributes secondary... 
    6   
Managing Users and Identity Stores
Managing External Identity Stores
Table 53 Active Directory: Attributes Page
Option Description
Name of example Subject to 
Select AttributesEnter the name of a user or computer found on the joined domain. You can enter the user’s or 
the computer’s CN or distinguished name.
The set of attributes that are displayed belong to the subject that you specify. The set of 
attributes are different for a user and a computer.
Select Click to access the Attributes secondary...

    Page 198

    Page 198 6 Managing Users and Identity Stores Managing External Identity Stores 3.Do one of the following: Click Save Changes to save the configuration. Click Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. Configuring Machine Access Restrictions To configure the Machine Access Restrictions, complete the following steps: 1.Choose... 
    6
Managing Users and Identity Stores
 
Managing External Identity Stores
3.Do one of the following:
Click Save Changes to save the configuration.
Click Discard Changes to discard all changes.
If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules 
that use custom conditions based on the AD dictionary. 
Configuring Machine Access Restrictions
To configure the Machine Access Restrictions, complete the following steps:
1.Choose...

    Page 199

    Page 199 6 Managing Users and Identity Stores Managing External Identity Stores Click Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. AD Deployment with Users Belonging to Large Number of Groups In ACS, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large number of groups... 
    6   
Managing Users and Identity Stores
Managing External Identity Stores
Click Discard Changes to discard all changes.
If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules 
that use custom conditions based on the AD dictionary. 
AD Deployment with Users Belonging to Large Number of Groups
In ACS, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large 
number of groups...

    Page 200

    Page 200 7 Managing Users and Identity Stores Managing External Identity Stores Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA’s native protocol. Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol. RSA SecurID token server in ACS 5.7 integrates with the RSA SecurID authentication technology by using the RSA SecurID Agent. Configuring RSA SecurID Agents The RSA SecurID Server administrator can do the... 
    7
Managing Users and Identity Stores
 
Managing External Identity Stores
Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA’s native protocol.
Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol.
RSA SecurID token server in ACS 5.7 integrates with the RSA SecurID authentication technology by using the RSA SecurID 
Agent.
Configuring RSA SecurID Agents
The RSA SecurID Server administrator can do the...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals