Cisco Systems OL-24201-01

8-42

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

The AD user password change using the above methods must follow the AD password policy. You must

check with your AD administrator to know the complete AD password policy rule. AD password policy

important rules are:

•Enforce password history N passwords remembered

•Maximum password age N days

•Minimum password age N days

•Minimum password length N characters

•Password must meet complexity requirements

AD uses the Maximum password age N days rule to detect password expiry. All other rules are used

during password change attempt.

ACS supports these AD domains:

•Windows Server 2003

•Windows Server 2003 R2

•Windows Server 2008

•Windows Server 2008 R2

ACS machine access restriction (MAR) features use AD to map machine authentication to user

authentication and authorization, and sets a the maximal time allowed between machine authentication

and an authentication of a user from the same machine.

Most commonly, MAR fails authentication of users whose host machine does not successfully

authenticate or if the time between machine and user authentication is greater than the specified aging

time. You can add MAR as a condition in authentication and authorization rules as required.

While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is

set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by

the same NTP server.

If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error.

Using the command line interface on your appliance, you must configure the NTP client to work with

the same NTP server that the AD domain is synchronized with.

Refer to

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/

reference/cli.html for more information.

ACS appliance uses different levels of cache for AD groups to optimize the performance. AD groups are

identified with a unique identifier, the SID. ACS retrieves the SIDs that belongs to the users, and uses

the cached mapping of the SIDs with the full name and the path of the group. The AD client component

caches the mapping for 24 hours. The run time component of ACS, queries the AD client and chache the

results as long as it is running.

To prevent ACS using the outdated mappings, create new AD groups instead of changing/moving the

existing ones. If you change/move the existing ones, you have to wait for 24 hours and restart the ACS

services to refresh all the cached data.

ACS 5.3 supports certificate authorization.