Cisco Systems CSACS3415K9 Machine Authentication

8-43

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter8 Managing Users and I dentity Stores

Managing External Identity Stores

Note To prevent ACS from using the outdated mappings, you should create new AD groups instead of

changing or moving the existing ones. If you change or move the existing groups, you have to wait for

24 hours and restart the ACS services to refresh all the cached data .

ACS 5.4 supports certificate authorization.

If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to

communicate with AD. The following are the default ports to be opened:

Note Dial-in users are not supported by AD in ACS.

This section contains the following topics:

•Machine Authentication, page 8-43

•Attribute Retrieval for Authorization, page 8-44

•Group Retrieval for Authorization, page 8-44

•Certificate Retrieval for EAP-TLS Authentication, page8-44

•Concurrent Connection Management, page8-44

•User and Machine Account Restrictions, page 8-44

•Machine Access Restrictions, page 8-45

•Dial-In Permissions, page 8-47

•Callback Options for Dial-In users, page 8-48

•Joining ACS to an AD Domain, page8-49

•Selecting an AD Group, page 8-53

•Configuring AD Attributes, page8-54

•Configuring Machine Access Restrictions, page 8-56

Machine Authentication

Machine authentication provides access to network services to only these computers that are listed in

Active Directory. This becomes very important for wireless networks because unauthorized users can try

to access your wireless access points from outside your office building.

Protocol Port number

LDAP 389/udp

SMB 445/tcp

KDC 88/(tcp/udp)

Global catalog 3268/tcp

KPASS 464/tcp

NTP 123/udp

DNS 53/(tcp/udp)