8-49
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores
The callback number value is also returned on the RADIUS response, using the RADIUS attribute
CallbackNumber (#19).
If callback option is Set by Caller, the RADIUS response contains the following attributes with no
value:
cisco-av-pair=lcp:callback-dialstring=
cisco-av-pair=Shell:callback-dialstring=
cisco-av-pair=Slip:callback-dialstring=
cisco-av-pair=Arap:callback-dialstring=
Joining ACS to an AD Domain
In ACS 5.4, you can join the ACS nodes from same deployment to different AD domains. However, each
node can be joined to a single AD domain. The policy definitions o f those ACS nodes are not changed
and that uses the same AD identity store.
For information on how to configure an AD identity store, see Configuring an AD Identity Store,
page 8-49.
Note The Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational
unit (OU). It resides in its own OU either when the account is created or later on, with a restriction that
the appliance name must match the name of the AD account .
Note ACS does not support user authentication in AD when a user name is supplied with an alternative UPN
suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain
level.
Related Topics
Machine Authentication, pageB-35
Configuring an AD Identity Store
The AD settings are not displayed by default, and they are not joined to an AD domain when you first
install ACS. When you open the AD configuration page, you can see the list of all ACS nodes in the
distributed deployment.
When you configure an AD identity store, ACS also creates the following:
A new dictionary for that store with two attributes: the ExternalGroup attribute and another attribute
for any attribute that is retrieved from the Directory Attributes page.
A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this
attribute.
A custom condition for group mapping from the ExternalGroup a ttribute—the custom condition
name is AD1:ExternalGroups—and another custom condition for each attribute that is sele cted in
the Directory Attributes page (for example, AD1:cn).
You can edit the predefined condition name, and you can create a custom condition from the Custom
condition page. See Creating, Duplicating, and Editing a Custom Session Co ndition, page 9-5.