Last time we set up our ACS 5.x to authenticate against RSA SecurID external database. Before we did that we saw how to connect the ACS to the Active Directory (AD). Now, we will use the AD database for authentication, much like we did with RSA database.
Like with the RSA admin from previous post, Active Directory admin has to perform some tasks. In the AD he/she creates a group, for example “NetworkAdmins” and place AD users inside that group. These users will be granted some sort of access later, through the ACS AAA process. From the “Active Directory Users And Computers” AD tool:
That is all from the AD administrator. Let’s go to the ACS…
Under “Users and Identity Stores->External Identity Stores->Active Directory” we select “Directory Groups” tab and click “Select”:
An “External User Groups” window opens. We can type a complete name “NetworkAdmins” or use a “*” for a wildcard symbol and click “Go”. The ACS will retrieve all groups from AD that match the criteria. We select desired group and click “Ok”:
Then we click “Save Changes”. We now need to create an access service. We can do a little trick and duplicate and then change the “RSA Device Admin” access service we created in previous blog. We just change the name and description and click “Submit”. A pop-up appears asking if we want to actually activate this service. We want!
Again we could use already created rule, “Rule-4” from previous post, duplicate it and change some properties. We could of course create a rule from the scratch. We will duplicate. Under “Access Policies->Access Services->Service Selection Rules” we select “Rule-4” and click “Duplicate”:
We only need to change the name and the result. We don’t want to use “RSA Device Admins” access service as a result, but newly duplicated and changed “AD Device Admin” and click “Ok”:
We move this rule, “Rule-3”, to the top of list and “Save Changes”:
We still need to change “AD Device Admin” access policy properties, because we made it by duplicating the “RSA Device Admin” policy. For example, now the identity source for our rule is “RSA SecurID AM” and needs to be “AD1”. This “AD1” is the representation of our ACS to AD connection. So, under “Access Policies->Access Services->AD Device Admin->Identity” we click “Select” and select “AD1”:
Then we click “Ok” and “Save Changes”.
For authorization, under “Access Policies->Access Services->AD Device Admin->Authorization”, because we copied this access service, the result is shell profile called “PRIVILEGE_15”. We may leave this, or create and use another result. We will keep current setting:
Now it is time to test our scenario. If we did all right, instead of accessing the switch using token, we will use a user from Active Directory group “NetworkAdmins”. There is nothing we need to change on the switch.
To verify this, we will log to the switch and we will check the ACS logs:
And we can see that everything as we configured and expected.
Thanks for reading!