8-43
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores
Note To prevent ACS from using the outdated mappings, you should create new AD groups instead of
changing or moving the existing ones. If you change or move the existing groups, you have to wait for
24 hours and restart the ACS services to refresh all the cached data .
ACS 5.4 supports certificate authorization.
If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to
communicate with AD. The following are the default ports to be opened:
Note Dial-in users are not supported by AD in ACS.
This section contains the following topics:
Machine Authentication, page 8-43
Attribute Retrieval for Authorization, page 8-44
Group Retrieval for Authorization, page 8-44
Certificate Retrieval for EAP-TLS Authentication, page8-44
Concurrent Connection Management, page8-44
User and Machine Account Restrictions, page 8-44
Machine Access Restrictions, page 8-45
Dial-In Permissions, page 8-47
Callback Options for Dial-In users, page 8-48
Joining ACS to an AD Domain, page8-49
Selecting an AD Group, page 8-53
Configuring AD Attributes, page8-54
Configuring Machine Access Restrictions, page 8-56
Machine Authentication
Machine authentication provides access to network services to only these computers that are listed in
Active Directory. This becomes very important for wireless networks because unauthorized users can try
to access your wireless access points from outside your office building.
Protocol Port number
LDAP 389/udp
SMB 445/tcp
KDC 88/(tcp/udp)
Global catalog 3268/tcp
KPASS 464/tcp
NTP 123/udp
DNS 53/(tcp/udp)