Cisco Systems OL-24201-01 manual User Guide for Cisco Secure Access Control System

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

The AD user password change using the above methods must follow the AD password policy. You must check with your AD administrator to know the complete AD password policy rule. AD password policy important rules are:

•Enforce password history N passwords remembered

•Maximum password age N days

•Minimum password age N days

•Minimum password length N characters

•Password must meet complexity requirements

AD uses the Maximum password age N days rule to detect password expiry. All other rules are used during password change attempt.

ACS supports these AD domains:

•Windows Server 2003

•Windows Server 2003 R2

•Windows Server 2008

•Windows Server 2008 R2

ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine.

Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required.

While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server.

If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with.

Refer to

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli.html for more information.

ACS appliance uses different levels of cache for AD groups to optimize the performance. AD groups are identified with a unique identifier, the SID. ACS retrieves the SIDs that belongs to the users, and uses the cached mapping of the SIDs with the full name and the path of the group. The AD client component caches the mapping for 24 hours. The run time component of ACS, queries the AD client and chache the results as long as it is running.

To prevent ACS using the outdated mappings, create new AD groups instead of changing/moving the existing ones. If you change/move the existing ones, you have to wait for 24 hours and restart the ACS services to refresh all the cached data.

ACS 5.3 supports certificate authorization.