8-57
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores

AD Deployments with Users Belonging to Large Number of Groups

In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the
user belongs to a large number of groups (more than 50 groups). But, the subsequent authentication of
the same user or another user belongs to the same group works properly. This is due to the
adclient.get.builtin.membership parameter in ACS AD agent configuration. This parameter, when set as
true, performs a lot of additional requests and takes a lot of time for the users who belong to large number
of groups. You can observe that the AD built-in groups are not available for usage in ACS policies after
the adclient.get.builin.membership parameter is set as true. So, to overcome this issue, you should set
the adclient.get.builtin.membership parameter as false.
To set adclient.get.builin.membership parameter, perform the following steps in ACS CLI:
Step1 Log into ACS CLI in configuration mode.
Step2 Enter the following commands:
acs-config
ad-agent-configuration adclient.get. builtin.membership false
Note The first authentication of a user belongs to the large number of groups may fail with a timeout
error. But, the subsequent authentications of the same user or another user belon gs to the same
group works properly.
Joining ACS to Domain Controllers
When ACS needs to connect to a domain controller or a global catalog, it sends SRV requests to the
configured DNS servers to find out the available list of domain controllers for a domain and the global
catalogs for a forest.
If the Active Directory configuration on ACS machine is assigned to a subnet, which in turn is assigned
to a site, then ACS sends the DNS queries scoped to the site. That is the DNS server is supposed to return
the domain controllers and the global catalogs serving that particular site to which the subnet is assigned
to.
If the ACS machine is not assigned to a site, then ACS does not send the DNS queries scoped to the site.
That is the DNS server is supposed to return all available domain controllers and global catalogs with
no regard to the sites.
ACS iterates the available list of domain controllers or global catalogs and tries to establish the
connection according to the order of the domain c ontrollers or the global catalogs in the DNS respon se
received from the DNS server.
RSA SecurID Server
ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication
consists of the user’s personal identification number (PIN) and an individually registered RSA SecurID
token that generates single-use token codes based on a time code algorithm.
A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA
SecurID server validates this dynamic authentication code. Each RSA SecurID token is unique, and it is
not possible to predict the value of a future token based on past tokens.