Using Active Directory external database with Cisco ACS 5.x

Last time we set up our ACS 5.x to authenticate against RSA SecurID external database. Before we did that we saw how to connect the ACS to the Active Directory (AD). Now, we will use the AD database for authentication, much like we did with RSA database.

Like with the RSA admin from previous post, Active Directory admin has to perform some tasks. In the AD he/she creates a group, for example “NetworkAdmins” and place AD users inside that group. These users will be granted some sort of access later, through the ACS AAA process. From the “Active Directory Users And Computers” AD tool:


That is all from the AD administrator. Let’s go to the ACS…

Under “Users and Identity Stores->External Identity Stores->Active Directory” we select “Directory Groups” tab and click “Select”:


An “External User Groups” window opens. We can type a complete name “NetworkAdmins” or use a “*” for a wildcard symbol and click “Go”. The ACS will retrieve all groups from AD that match the criteria. We select desired group and click “Ok”:


Then we click “Save Changes”. We now need to create an access service. We can do a little trick and duplicate and then change the “RSA Device Admin” access service we created in previous blog. We just change the name and description and click “Submit”. A pop-up appears asking if we want to actually activate this service. We want!


Again we could use already created rule, “Rule-4” from previous post, duplicate it and change some properties. We could of course create a rule from the scratch. We will duplicate. Under “Access Policies->Access Services->Service Selection Rules” we select “Rule-4” and click “Duplicate”:


We only need to change the name and the result. We don’t want to use “RSA Device Admins” access service as a result, but newly duplicated and changed “AD Device Admin” and click “Ok”:


We move this rule, “Rule-3”, to the top of list and “Save Changes”:


We still need to change “AD Device Admin” access policy properties, because we made it by duplicating the “RSA Device Admin” policy. For example, now the identity source for our rule is “RSA SecurID AM” and needs to be “AD1”. This “AD1” is the representation of our ACS to AD connection. So, under “Access Policies->Access Services->AD Device Admin->Identity” we click “Select” and select “AD1”:



Then we click “Ok” and “Save Changes”.

For authorization, under “Access Policies->Access Services->AD Device Admin->Authorization”, because we copied this access service, the result is shell profile called “PRIVILEGE_15”. We may leave this, or create and use another result. We will keep current setting:


Now it is time to test our scenario. If we did all right, instead of accessing the switch using token, we will use a user from Active Directory group “NetworkAdmins”. There is nothing we need to change on the switch.

To verify this, we will log to the switch and we will check the ACS logs:


And we can see that everything as we configured and expected.

Thanks for reading!

This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, Cisco, Security and tagged , , , . Bookmark the permalink.

6 Responses to Using Active Directory external database with Cisco ACS 5.x

  1. Yasin says:

    Hello there, I have been learning a lot from your blog. However, I am stuck at a certain point. I am trying to integrate ACS with Active Directory. I have successfully joined my ACS to windows domain, correctly created a shell profile, in my identity sequence I can see AD1, but then while configuring access policy I go to default device admin, and when I select single result selection from identity I don’t see any drop down box for identity source. Could I have missed any step ?

    • Sasa says:

      You should have a button named “Select” next to “Identity Source” field. Once clicked, that button will allow you to select any data source you have properly configured. If you don’t see that button, try another browser. ACS is kinda picky with regards to this. I’m using Firefox.

  2. Yasin says:

    Your solution worked like a charm !! Tried it in google chrome, and now I can see the dropdown box as well as the select button. Thanks a ton !!! You’re Awesome !

  3. PKI-Curious says:

    A lot of enterprises are now using Single Sign on with Smart Cards and Certs that authenticate from a Desktop with the AD Domain Controller. In theory, we should be able to set up Cisco ACS to proxy AD as an external store and let Net Admin “SSH”ing into switches/routers also have their authentication/authorization happen via a Certificate from the same Smart Card sitting in their desktop/laptop reader. If it’s doable, could you post a how to page for that?

    • Sasa says:

      Traditional authentication against AD through the ACS is very easy to do. Using certificates? Perhaps, but sounds like kinda complicated scenario for me to try any time soon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s